Risk Management: Threats: How should information-related threats be assessed?
Options:Option 1: Ignore threat assessment and make guesses.
Option 2: Use the Web and other sources to search out information about real security incidents against companies like yours.
Option 3: Get a vendor to do a comparative study of similar companies.
Option 4: Get a high quality highly directed threat assessment done by an investigative professional.
Option 5: Get a high quality general threat assessment done by threat assessment professionals.
Decision:IF a specific threat is known to exist and more details of that threat are important to know to take prudent safety precautions, THEN Get a high quality highly directed threat assessment done by an investigative professional.
OTHERWISE use the table below based on enterprise size and consequences of protection failure:
Ignore threat assessment and make guesses.
Many companies ignore threat assessment. The guesses they make result in ineffective or excessive protection. But, if threat assessment costs a lot, the cost of threat assessment may exceed the increased consequences of under-protection and the increased costs of overprotection. Threat assessment is typically only cost effective for companies with substantial security budgets or loss potentials.
Use the Web and other sources to search out information about real security incidents against companies like yours.
This is another popular option that has substantial benefits for properly skilled and trained searchers. However, most people aren't skilled at searching the Internet for threat information and evaluating what they read, and most incidents are not published or reported to authorities. According to experts, less than 5 percent of all successful attacks that are detected are ever reported to the authorities. So searching the Internet for incidents is likely to produce a factor of 20 too few incidents to make a sound judgment. Knowing this and multiplying by a factor of 20 may help get a better handle on the real situation.
Get a vendor to do a comparative study of similar companies.
This is a sound decision for companies that have systems administration and security costs in excess of $100,000 per year or total information technology costs in excess of $1M per year. A vendor comparative study of similar companies typically costs under $10,000, but in many cases, a limited threat assessment is included in a rapid assessment or an information protection posture assessment, which are prudent for companies with these budget sizes.
Get a high quality highly directed threat assessment done by an investigative professional.
This should always be taken in cases when a known threat has been detected causing substantial internal consequences or when the threat presents substantial potential for causing physical harm to individuals. For example, if an employee is threatened, an insider is suspected of computer abuse, or an extortion attempt is made against a company, a specific threat assessment is mandatory. The cost will be on the order of $2500 for a competent professional. The ultimate consultant costs from incidents such as these can be quite high, often in the range of $20,000 and sometimes reaching in excess of $100,000.
Get a high quality general threat assessment done by threat assessment professionals.
This is typical for companies with security costs in excess of $1M per year, when total information technology budgets are in excess of $10M per year, in cases when national security is involved, or in cases when international locations are involved in high risk areas of the world. For cases involving national security, government assistance is often provided in the form of threat briefings, but these tend to be a poor substitute for a professional threat assessment. Cost can range from $10,000 per year for access to global threat information from global threat analysis firms, to $25,000 for a directed threat assessment investigating threats to your company, to millions of dollars per year for government-funded investigations of specific threat groups as part of national intelligence.
Threats are actors; people, groups, or nature, that can act to cause harm. Threats, vulnerabilities, and consequences combine to form risk. Risk can be accepted (which you do when you ignore it), transferred, avoided, or reduced. Without a clear understanding of the threat situation, making prudent decisions to accept, avoid, transfer, or reduce risk is pure guesswork. Companies that ignore threat assessment usually have too little or too much protection in the wrong places. Too little protection brings attacks. Too much brings excess costs.