QUANTIFYING THE VALUE OF SECURITY

1
QUANTIFYING THE VALUE OF SECURITY

• PRESENTED BY
• UMOUYO, HENRY A
• IN PARTIAL FULLFILMENT OF CS-654 REQUIREMENTS

2
INTRODUCTION

• Security can be defined simply as freedom from
  risk or danger. Therefore to quantify security of
  any organization, it is desirable that the risk
  of the organization be quantify first.
• Mathematically, risk is can be express as
• Risk Threat x Vulnerability x Expected
  Loss.
• This is a good expression, but how do we quantify
  threat, vulnerability and expected loss with
  meaningful numbers?
• Since we cannot measure the parameters in the
  above equation directly, it is therefore
  pertinent to define few concepts that will
  enable us to measure them.

3
ASSET VALUE

• Values are placed in all assets (hardware,
  software and data) that are reflected in IT
  Spending.
• The minimum asset value of all computing assets
  is the amount of IT spending for a year
  (salaries, operations and maintenance) plus the
  depreciation or amortization value of the assets
  (hardware and software).

4
CLASSIFICATIONS OF INFORMATION ASSET VALUE

• PRODUCTIVE VALUE
• An asset's worth is the costs of
  implementing, maintaining and using it. For a
  single PC, information asset value is the cost of
  the PC plus software, a percentage of IT overhead
  costs (e.g., help desk) and the user's time
  (salary).
• REVENUE VALUE
• For some assets, worth is measured in the
  value of transactions. If your e-commerce Web
  server processes 1 million in transactions a
  day, it's worth 365 million annually.
• LIQUID FINANCIAL ASSETS
• Those assets under management figures
  associated with financial institutions provide a
  straightforward way to assess their value. If 1
  billion is under management, that amount, plus
  the productivity value, provides the total value
  that's being protected.
• INTELECTUAL PROPERTY VALUE
• This is the most difficult asset to value.
  It is seen as "the reason" a company is in
  business. It might be easier to consider
  intellectual property's contribution of a company
  in terms of market capitalization. This value can
  be calculated by multiplying the amount of
  intellectual property captured on systems with
  the difference between market capitalization and
  book value.

5
POTENTIAL LOSS

• Potential loss is linked to the breach in
  Confidentiality, Integrity,
• availability, productivity (when resources is
  disabled e.g email server
• disable by spam) and Liability (resources being
  misused e.g an hacker
• storing stolen files in the server).
• SECURITY SPENDING
• Activity-based management can be used to measure
  security spending by classifying security
  activity under the four disciplines of Security
  Management namely
• Trust management Policy enforcement, security
  architecture etc.
• Identity management User account management,
  password resets etc.
• Vulnerability management Configuration
  hardening, vulnerability remediation etc.
• Threat management Monitoring, threat analysis,
  incident response, etc.

6
CONCLUSION

• Having known all these, we can therefore estimate
  the
• value of threat, Vulnerability and expected Loss.
  The
• product of the three gives the value of risk.
• If the risks are checked properly, then the money
  spent in
• the process is therefore a measured of the value
  of
• security.
• REFERENCE
• Pete Lindstrom, Feb. 18th, 2005
• http//searchsecurity.techtarget.com/tip/1,289483,
  sid14_gci1060349,00.html