Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


Risk Management's New Bell Curve

New report from McAfee points to need for insurance-like business model for IT security

IT security managers have two basic problems: getting their managers to understand the need for security resources; and figuring out how to prioritize and spend the resources they already have.

Both problems could potentially be solved if security people spent a little less time thinking like IT experts and a little more time thinking like insurance experts, according to new report from the London School of Economics and McAfee.

The report, entitled "International Perspectives on Information Security Practices," was published late last week. (See McAfee Reports Fewer Experts.) Summaries of the document initially focused on its conclusions about the shortage of IT security experts, but an interview with McAfee CSO Martin Carmichael put the results in a different light.

The study, which summarizes the opinions of security executives in the financial services industry, shows many are frustrated with their inability to build a business case for security, and with the complex task of prioritizing multiple security goals and projects.

"What's fascinating is that they all have the same reason for being frustrated," Carmichael says. "It's that they are working too much with subjective data, and not enough with objective data."

Carmichael likens today's business environment to the construction industry of the 1800s. "In those days, people often didn't calculate the risks of putting in safety features into the construction because they saw the likelihood of a disaster as remote, and the cost of the safety features as too high."

But insurance companies changed that cost/benefit perception by creating actuarial data that cross-references the likelihood of an event, its potential costs to the owner, and the effectiveness of specific safety features in preventing the event from occurring. They then gave the incentive to construction firms and other businesses to implement the most effective safety features by offering implementers a discount on insurance premiums.

"Essentially, the construction and insurance industries created a bell curve that shows the risk you encounter if you follow certain practices," Carmichael says. If you're inside the bell curve, you have an acceptable level of risk. If you're outside it, then you know you need to consider making some changes."

Enterprises, and even industries, need to begin building a base of objective knowledge about the frequency of security events, the costs associated with those events, and the effectiveness of tools in preventing those events from occurring, Carmichael suggests. "Right now, tools can objectively tell you how many times your firewall has been hit, but that's not all that useful in evaluating risk."

"Most risk assessment today is done by highly-skilled individuals who work with a great deal of subjective data -- and whose knowledge is often lost when they leave the company," Carmichael observes. But if enterprises and industries began collecting and storing more objective data -- analogous to insurers' actuarial tables -- then they would be able to make more educated security decisions, he says.

"Imagine if security worked like insurance. You could tell your manager, 'We can spend $4,000 on this, and reduce risk by 14 percent, or we can spend $2,000 on that, and reduce risk by 7 percent,'" Carmichael says. Such a knowledge base would also help security managers prioritize the projects and technologies they want to deploy, because it would offer some data on the potential impact of specific technologies on the frequency of security events, he notes.

But could the security industry develop such a knowledge base, as the insurance industry did? It's possible, because compliance requirements are causing security managers in many different industries to come together on the guidelines for risk, Carmichael says.

"Think how much it would help compliance auditors if the enterprise could produce a bell curve that shows acceptable levels of risk, and how their systems fit under that curve," Carmichael says. "It would speed up the compliance process a great deal."

McAfee is working to develop products that would help enterprises collect this objective data and eventually build the knowledge base, says Carmichael, though he could not be more specific.

"We see the corollary between insurance and security as being an important one going forward," Carmichael says, "and the [London School of Economics] report confirms that something like this is what a lot of security managers need. It's all about managing risk."

— Tim Wilson, Site Editor, Dark Reading

  • McAfee Inc. (NYSE: MFE)

    Tim Wilson is Editor in Chief and co-founder of Dark Reading.com, UBM Tech's online community for information security professionals. He is responsible for managing the site, assigning and editing content, and writing breaking news stories. Wilson has been recognized as one ... View Full Bio

    Comment  | 
    Print  | 
    More Insights
  • Comments
    Newest First  |  Oldest First  |  Threaded View
    7 Old IT Things Every New InfoSec Pro Should Know
    Joan Goodchild, Staff Editor,  4/20/2021
    Cloud-Native Businesses Struggle With Security
    Robert Lemos, Contributing Writer,  5/6/2021
    Defending Against Web Scraping Attacks
    Rob Simon, Principal Security Consultant at TrustedSec,  5/7/2021
    Register for Dark Reading Newsletters
    White Papers
    Current Issue
    2021 Top Enterprise IT Trends
    We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
    Flash Poll
    How Enterprises are Developing Secure Applications
    How Enterprises are Developing Secure Applications
    Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
    Twitter Feed
    Dark Reading - Bug Report
    Bug Report
    Enterprise Vulnerabilities
    From DHS/US-CERT's National Vulnerability Database
    PUBLISHED: 2021-05-13
    An improper access control vulnerability has been reported to affect earlier versions of Music Station. If exploited, this vulnerability allows attackers to compromise the security of the software by gaining privileges, reading sensitive information, executing commands, evading detection, etc. This ...
    PUBLISHED: 2021-05-13
    A command injection vulnerability has been reported to affect certain versions of Malware Remover. If exploited, this vulnerability allows remote attackers to execute arbitrary commands. This issue affects: QNAP Systems Inc. Malware Remover versions prior to This issue does not affect: QNAP...
    PUBLISHED: 2021-05-13
    An improper authorization vulnerability has been reported to affect QNAP NAS running HBS 3 (Hybrid Backup Sync. ) If exploited, the vulnerability allows remote attackers to log in to a device. This issue affects: QNAP Systems Inc. HBS 3 versions prior to v16.0.0415 on QTS 4.5.2; versions prior to v3...
    PUBLISHED: 2021-05-13
    An Authentication Bypass vulnerability in the SAML Authentication component of BlackBerry Workspaces Server (deployed with Appliance-X) version(s) 10.1, 9.1 and earlier could allow an attacker to potentially gain access to the application in the context of the targeted user’s acco...
    PUBLISHED: 2021-05-12
    Use After Free vulnerability in nfc sockets in the Linux Kernel before 5.12.2 allows local attackers to elevate their privileges. In typical configurations, the issue can only be triggered by a privileged local user with the CAP_NET_RAW capability.