You CAN Stop Stupid. Ira Winkler
Читать онлайн книгу.
at stake. Threats are entities that will do you harm if given the opportunity. Vulnerability is a weakness that can result in harm if exploited. Countermeasures are efforts to mitigate a potential loss.
With specific regard to UIL, we want to differentiate between a threat and a vulnerability. For the purposes of dealing with UIL, you need to understand that a user is actually also a threat. As a threat, users cannot actually initiate loss unless there are vulnerabilities that allow them to do so. And even then, the threat can't successfully exploit those vulnerabilities unless there are insufficient countermeasures to prevent them from doing so.
In other words, yes, a user may have a moment of carelessness or malicious intent. However, the resulting action cannot result in loss unless there is both an environment that allows that user's action to initiate loss and insufficient countermeasures to mitigate that loss. When you understand and embrace the concept of risk from this perspective, you can begin to see UIL is clearly an addressable problem.
In the sections that follow, we will examine each of the elements of the risk equation, beginning with value.
NOTE The risk equation discussed in this chapter is a high-level representation to help deal with risk on a conceptual level. It isn't a mathematical formula intended to be directly used with quantifiable figures. Although some disciplines, such as actuarial science, attempt to quantify risk for business purposes, that isn't our focus. We do, however, discuss practical metrics throughout the book, particularly in Chapter 10.
Value
Value is perhaps the most important element of risk. It is essentially what you have to lose. More important, it is both separately identifiable elements and their totality that you have to lose. Too many organizations and decision-makers misperceive the value that is at risk. Either they have a myopic view as to what value is exposed to loss or they underestimate the potential for overall value to be lost.
Consider, for example, the infamous Sony hack, where North Korea attacked Sony in retaliation for the movie The Interview, which depicted the killing of North Korea's leader, Kim Jung Un. Prior to the attack, the Sony CIO was quoted as saying that he wasn't going to spend $10,000,000 to prevent a $1,000,000 loss. While the logic was sound, the underlying assumption of potential loss was incredibly wrong. Sony didn't lose $1,000,000 in the incident. The combined loss from the interrupted release of the movie, the incident response, the compromise of PII of Sony employees, and the embarrassment resulting from leaked emails, operational interruption, and so on, cost Sony in excess of $150,000,000.
Unfortunately, there are numerous losses of this scope. While your organization will ideally not suffer such a loss, even small losses can become significant, as we discussed earlier in the “Death by 1,000 Cuts” section. At the least, you want to have a realistic consideration of the value that you are protecting.
There are many types of value. Monetary, opportunity, and reputation are some of the most significant forms. It is also important to consider the value that your organization has to potential attackers, which clearly impacts the level of effort that they will go through to target you. The following sections will explore these types of value.
Monetary Value
Monetary value is the clear financial amount that your organization possesses or can lose. To a large extent, this is pretty straightforward. Organizations typically have financial metrics for predicted income, estimated costs for outages, estimates for injuries, estimates for supply chain interruptions, and so on.
Airlines are an easy-to-recognize example of what happens when there are computer outages that interrupt operations. In 2017, a power outage at the Hartsfield-Jackson International Airport in Atlanta caused the cancellation of 1,173 flights. This caused disruption to the lives and business of hundreds of thousands, if not millions, of people given the cancelled flights and the other people impacted. While a good portion of the loss was intangible, Delta Airlines estimated a hard loss of up to $50,000,000.
All organizations with reasonable financial practices have clear estimates of the financial costs of incidents. If you are responsible for mitigating UIL, it would benefit you to talk to your risk or accounting departments to see whether they have any metrics regarding the value of operations, interruptions, and so on. When it comes to technology, computer incidents, unfortunately, have not been generally well defined regarding the resulting loss. However, you can, gather costs from third parties that track such information and extrapolate it for your own purposes. The good news is that there have been significant incidents documented in the technology field to provide you with a good start.
You should try to use any metrics available to you in calculating the financial impact of UIL. You can use this data in justifying the efforts and resources you require to mitigate UIL. The resources include cash and people to prevent the initiation of loss, as well as to mitigate the loss, should it be initiated. You also need to justify the organizational impact you may create in changing processes and otherwise impacting the organization. While the other categories of loss discussed can assist in making your case, demonstrating the potential loss in monetary value is the easiest way to justify the resources you require.
Opportunity Value
Opportunity value is the potential benefit lost or gained as a result of a harmful action. Opportunity value can include the growth or loss of your customer base, business opportunities, profits, and so on. It can also include strategic positioning of your organization and its business-to-business relationships, the timing of taking a company public, and the strength of your corporate culture.
Unless there are already detailed plans with financial projections, it is sometimes hard to assign a specific monetary value to an opportunity value loss. For example, when contracts are lost internally unless they were large contracts that were calculated into financial projections, it is unlikely that those losses are tracked. If those losses could be quantified financially, they would likely be considered a loss of monetary value as well as opportunity value. There generally is a monetary value that relates to opportunity value, and it can't always be tracked.
We have worked incidents where former employees stole proposals and other corporate information to use for the benefit of their new employers. In some cases, a contract was lost. It is hard to attribute the lost contract to the specific theft, as these situations can be complex and many factors apply. Besides the lost profit from not having the contract, it reduces the likelihood of future work with the client. It might also reduce the money available for future marketing efforts, which can impact future income from other sources.
Some opportunity values can be identified and even quantified, particularly if they align with your organization's goals. For example, if your organization wants to raise its profile in the public's general awareness, being positively reported on in major media has opportunity value. Tracking the number of hits on social media can reveal some level of engagement with people as well.
Opportunity value comes in many forms, and it is usually difficult to calculate. However, it is something to consider in the justification of your efforts. And in the situations when you actually can attach metrics to the opportunity value, you can turn it into something more recognizably quantifiable. Any outage or disruption reveals opportunities for improvement in operations.
Reputation Value
For many organizations, reputation value is critical. For example, Uber relies on passengers' trust that they will get to their destinations safely. Whenever a negative incident with a ride is reported, it impacts the organization's image, customer satisfaction, and future profits. Clearly, claims of sexual assaults committed by Uber drivers is a major concern that can impact the willingness of people to use Uber in the future. Uber has been in the unenviable position of being sued by passengers who got into