Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


Risk Management's New Bell Curve

New report from McAfee points to need for insurance-like business model for IT security

IT security managers have two basic problems: getting their managers to understand the need for security resources; and figuring out how to prioritize and spend the resources they already have.

Both problems could potentially be solved if security people spent a little less time thinking like IT experts and a little more time thinking like insurance experts, according to new report from the London School of Economics and McAfee.

The report, entitled "International Perspectives on Information Security Practices," was published late last week. (See McAfee Reports Fewer Experts.) Summaries of the document initially focused on its conclusions about the shortage of IT security experts, but an interview with McAfee CSO Martin Carmichael put the results in a different light.

The study, which summarizes the opinions of security executives in the financial services industry, shows many are frustrated with their inability to build a business case for security, and with the complex task of prioritizing multiple security goals and projects.

"What's fascinating is that they all have the same reason for being frustrated," Carmichael says. "It's that they are working too much with subjective data, and not enough with objective data."

Carmichael likens today's business environment to the construction industry of the 1800s. "In those days, people often didn't calculate the risks of putting in safety features into the construction because they saw the likelihood of a disaster as remote, and the cost of the safety features as too high."

But insurance companies changed that cost/benefit perception by creating actuarial data that cross-references the likelihood of an event, its potential costs to the owner, and the effectiveness of specific safety features in preventing the event from occurring. They then gave the incentive to construction firms and other businesses to implement the most effective safety features by offering implementers a discount on insurance premiums.

"Essentially, the construction and insurance industries created a bell curve that shows the risk you encounter if you follow certain practices," Carmichael says. If you're inside the bell curve, you have an acceptable level of risk. If you're outside it, then you know you need to consider making some changes."

Enterprises, and even industries, need to begin building a base of objective knowledge about the frequency of security events, the costs associated with those events, and the effectiveness of tools in preventing those events from occurring, Carmichael suggests. "Right now, tools can objectively tell you how many times your firewall has been hit, but that's not all that useful in evaluating risk."

"Most risk assessment today is done by highly-skilled individuals who work with a great deal of subjective data -- and whose knowledge is often lost when they leave the company," Carmichael observes. But if enterprises and industries began collecting and storing more objective data -- analogous to insurers' actuarial tables -- then they would be able to make more educated security decisions, he says.

"Imagine if security worked like insurance. You could tell your manager, 'We can spend $4,000 on this, and reduce risk by 14 percent, or we can spend $2,000 on that, and reduce risk by 7 percent,'" Carmichael says. Such a knowledge base would also help security managers prioritize the projects and technologies they want to deploy, because it would offer some data on the potential impact of specific technologies on the frequency of security events, he notes.

But could the security industry develop such a knowledge base, as the insurance industry did? It's possible, because compliance requirements are causing security managers in many different industries to come together on the guidelines for risk, Carmichael says.

"Think how much it would help compliance auditors if the enterprise could produce a bell curve that shows acceptable levels of risk, and how their systems fit under that curve," Carmichael says. "It would speed up the compliance process a great deal."

McAfee is working to develop products that would help enterprises collect this objective data and eventually build the knowledge base, says Carmichael, though he could not be more specific.

"We see the corollary between insurance and security as being an important one going forward," Carmichael says, "and the [London School of Economics] report confirms that something like this is what a lot of security managers need. It's all about managing risk."

— Tim Wilson, Site Editor, Dark Reading

  • McAfee Inc. (NYSE: MFE)

    Tim Wilson is Editor in Chief and co-founder of Dark Reading.com, UBM Tech's online community for information security professionals. He is responsible for managing the site, assigning and editing content, and writing breaking news stories. Wilson has been recognized as one ... View Full Bio

    Comment  | 
    Print  | 
    More Insights
  • Comments
    Newest First  |  Oldest First  |  Threaded View
    Manchester United Suffers Cyberattack
    Dark Reading Staff 11/23/2020
    As 'Anywhere Work' Evolves, Security Will Be Key Challenge
    Robert Lemos, Contributing Writer,  11/23/2020
    Register for Dark Reading Newsletters
    White Papers
    Cartoon Contest
    Write a Caption, Win an Amazon Gift Card! Click Here
    Latest Comment: He hits the gong anytime he sees someone click on an email link.
    Current Issue
    2021 Top Enterprise IT Trends
    We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
    Flash Poll
    Twitter Feed
    Dark Reading - Bug Report
    Bug Report
    Enterprise Vulnerabilities
    From DHS/US-CERT's National Vulnerability Database
    PUBLISHED: 2020-11-27
    Intelbras TIP200, TIP200LITE, and TIP300 devices allow /cgi-bin/cgiServer.exx?page= XSS.
    PUBLISHED: 2020-11-26
    ncsi.c in libslirp through 4.3.1 has a buffer over-read because it tries to read a certain amount of header data even if that exceeds the total packet length.
    PUBLISHED: 2020-11-26
    slirp.c in libslirp through 4.3.1 has a buffer over-read because it tries to read a certain amount of header data even if that exceeds the total packet length.
    PUBLISHED: 2020-11-26
    Cloudera Data Engineering (CDE) before 1.1 was vulnerable to a CSRF attack.
    PUBLISHED: 2020-11-26
    An issue was discovered in BigBlueButton through 2.2.29. A brute-force attack may occur because an unlimited number of codes can be entered for a meeting that is protected by an access code.