Security Basics mailing list archives
Re: Getting the value of an asset and the probability of a risk to it
From: Jon Kibler <Jon.Kibler () aset com>
Date: Fri, 16 May 2008 22:00:40 -0400
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Sergio Castro wrote:
Hi Philippe, The only true way of doing a quantitative risk assessment on an asset is using statistics.
<SNIP!> In theory, yes. In reality, it just doesn't work that way. For example: Historically, the chances of a Windows box on a secure network getting rooted were less than 1 in 100,000. But if you use that as a basis for computing future risk, I would argue that the historical data has absolutely zero to do with reality today or in the future. I would suspect that within the next 12 to 24 months, the chances of a Windows box on a secure network getting rooted are about 1 in 1,000. So, if you use statistics based on historical data, your risk assessment is off by two orders of magnitude! (These numbers are for illustrative purposes only! I just created these numbers by AE, but they are probably within an order of magnitude of being correct.) So, when projecting risk for the next 5 years, from where do you get the data to form your statistical basis for risk? Another example: A couple of years ago I heard Gadi Evron talk about hardware rootkits (in BIOS, Video NRAM, NICs, Routers, etc.). Most people laughed at the idea. And now, what is the big anticipated talk at EusecWest? IOS Rootkits. Again, how do you base risk on historical data, or do any type of risk modeling when historical data is not applicable today and no one has a reasonable guess for the future? To use statistics, it has to be based on data. When historical data is not representative of current / future risk, it is not a valid basis for forming statistical projections -- of risk, or anything else for that matter. As I said previously, it is essentially impossible in today's I.T. security environment to do quantitative risk assessment that stands any chance of passing the laugh test. Except perhaps for risks associated with Mother Nature. And with climate change, who knows how accurate those data will be? Jon Kibler - -- Jon R. Kibler Chief Technical Officer Advanced Systems Engineering Technology, Inc. Charleston, SC USA o: 843-849-8214 c: 843-224-2494 s: 843-564-4224 My PGP Fingerprint is: BAA2 1F2C 5543 5D25 4636 A392 515C 5045 CF39 4253 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.8 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAkguPEgACgkQUVxQRc85QlPoMwCfdNcxLlGPl9s5PtJImaEuNHXl FPEAoKCKXtcpYCFdXUM5Z4MSchxGR1Wm =p9hK -----END PGP SIGNATURE----- ================================================== Filtered by: TRUSTEM.COM's Email Filtering Service http://www.trustem.com/ No Spam. No Viruses. Just Good Clean Email.
Current thread:
- Basic Computer Security Advice Needed Mark Goodridge (May 16)
- RE: Basic Computer Security Advice Needed Sergio Castro (May 16)
- Getting the value of an asset and the probability of a risk to it Rivest, Philippe (May 16)
- RE: Getting the value of an asset and the probability of a risk to it Sergio Castro (May 16)
- Re: Getting the value of an asset and the probability of a risk to it Jon Kibler (May 17)
- RE: Getting the value of an asset and the probability of a risk to it Craig Wright (May 18)
- RE: Getting the value of an asset and the probability of a risk to it Murda Mcloud (May 20)
- RE: Getting the value of an asset and the probability of a risk to it Craig Wright (May 21)
- Getting the value of an asset and the probability of a risk to it Rivest, Philippe (May 16)
- RE: Getting the value of an asset and the probability of a risk to it Craig Wright (May 18)
- RE: Getting the value of an asset and the probability of a risk to it Rivest, Philippe (May 20)
- RE: Getting the value of an asset and the probability of a risk to it Craig Wright (May 21)
- RE: Basic Computer Security Advice Needed Sergio Castro (May 16)
- Re: Getting the value of an asset and the probability of a risk to it Jon Kibler (May 16)
- Re: Basic Computer Security Advice Needed Gustavo V G C Rios (May 18)
- Re: Basic Computer Security Advice Needed Gleb Paharenko (May 20)