1 thought on “Infosec Risk Management (graphic)”
Comments are closed.
Adventurers sailing around the world slowly. With a dash of musings and other ramblings.
Adventurers sailing around the world slowly. With a dash of musings and other ramblings.
Comments are closed.
I staffed this graphic with my work colleagues in a Cyber Defense unit. Our Tech Director offered this feedback:
I would argue that the formula can be improved upon in that there is a
denominator for Impact as well. There are system design aspects that are
specifically meant to minimize the impact an actor can have assuming they
managed to break (past) countermeasures. For example, network segmentation,
encrypting data at rest, IP randomization technology, virtualization, etc.
Those are not “countermeasures”, they aren’t designed to mitigate specific
“vulnerabilities”, and they aren’t standard security controls, but they are
meant to limit “impact”.
It is one of the fundamental weaknesses in our existing architecture, we
continue to bolt on “security appliances” to enable near real-time
countermeasures, but once those countermeasures are defeated, we are soft and
gooey on the inside. We have not invested in the fundamental architectural
changes necessary to limit impact. You cannot defend the un-defendable. It
would be akin to building ships with no watertight integrity and then bolting
on rubber bumpers in the hope that inbound missiles would merely bounce off
the ship. However, if one of the bumpers is breached, down goes the ship.
So I propose:
{T x V} x I
R = ——- ——-
{C – O} x {A – D}
Where A= Architecture and D + Design Cost