Mastering the Threat Matrix
Is your organization smartly managing its information security risks? In other words, is it applying risk intelligence to ensure the threats it now faces are managed in a disciplined way?
"IT groups face a barrage of demands from CEOs, CFOs, auditors, and boards to ward off new information-security risks such as subtler viruses, evolutionary hacking algorithms, and strategies that exploit wireless connectivity," write David Apgard, author of the new book Risk Intelligence: Learning to Manage What We Don't Know. "With resources already stretched thin, IT security executives will have to do ruthless triage. They must discern which security risks pose the most substantial threats, which are small enough to postpone taking immediate action, and—perhaps most important—which are threats for which IT lacks sufficient risk-evaluation abilities."
He urges us to take a disciplined approach to risk -- one that helps us evaluate all the discernable information security risks that we now face. Current approachs to risk assessment revolve around measuring the loss associated with worst case scenarios and the costs associated with mitigating them.
The problem with this approach is that aggregated risks that may be severe at an enterprise level may be different from those that show up at a business unit level. We also are biased -- or predisposed -- to focus on certain kinds of risks. These risks may or may not represent a prioritized threat to our organizations.
What are the biggest information security risks to organizations now?According to the Computer Security Institute, the ones that represent the greatest loss are:
=>VIrus Attacks.
=>Unauthorized Access.
=>Stolen Laptops or Mobile Hardware.
=>Intellectual Property Theft.
Phishing scams, in which a hacker misrepresents an email message in order to collect consumer data and passwords, also are costly to companies from a brand standpoint. Deloitte Consulting reports that the number of brands hijacked through such scams was up 18% from June (over May). In July, 157 online brands were attacked by such campaigns, according to its report.
Given the circumstances and the stakes, information security professionals are challenged to introduce disciplined ways of identifying and managing such threats.
Apgard urges such security leaders to "ask which risks your organization is skilled at determining. Then, separate high-risk intelligence projects from those for which the organization has low risk intelligence before deciding which to pursue first."
While Apgard's method is discussed in greater detail here, the critical factor to understand is that enterprises need methods not only to identify and measure their immediate risks but ways to evaluate the emerging threats that they don't yet understand as well. Risk intelligence helps us prioritize the threats that can truly hurt us.