chapter opens with the usual amount of preamble, including an
observation that managers should be concerned about security risks,
regardless of whether they are general managers, IT managers, or IT
security managers. A breach in security can occur in anyone's area of
The text goes on to quote Sun Tzu
(the third quote on the linked page), and to use his observation that
you must know yourself and your enemy as a theme for the chapter. The
quote is from the end of chapter 3 of The
Art of War. It is not accidental that the authors refer to a
classic source that is used as a management text and as a guide for
warfare. Their point is that we must know our assets, know their
weaknesses and strengths, and know the attacks that are likely to occur
if we hope to defend against the attack. The authors might have quoted
the beginning of chapter 3
to give us more hope. Sun Tzu wrote that "the worst policy of all is to
besiege walled cities". It is our goal in mounting a defense to present
such a wall that the enemy will not waste its effort in an attack.
Is it possible to protect everything we might call an IT asset? Given enough time and money, yes, but we will always have limits on what we can spend, how many staff we can hire, and what time we can devote to the project given what else we are assigned to do. The text devotes much of the chapter to a sequence of processes that lead to a prioritized list of assets which will tell us what we should spend the most effort to protect.
The first process creates a catalog of our IT assets. Note that any list represents only a snapshot in time. The procedures used to create such lists must be available to appropriate staff any time a new asset is added, or an old one is changed or removed. A related process is the one on page 281 that involves assigning meaningful names to assets and recording attributes that are relevant to their use and service. Consistent naming standards need to evolve over time, but they add a lot. Being able to recognize some of an object's characteristics from its name can be very helpful.
The text presents several scales on which assets might be
rated to assign a "value to the organization". It may be that one of
the questions on pages 284 and 285 will be more important than the
others to your organization, but it is more likely that a composite score makes the most sense if several of the questions apply. In the
example on page 286, five different assets are rated on three factors,
each of which has been assigned a relative importance for this
comparison. This leads to a score for each of those assets that shows
its importance relative to the other four. Note that it might not be
fair to compare numbers from this chart to numbers from another chart
that used different criteria, unless those criteria were of equal
importance to the organization.
The text moves on to identifying threats. On page 287, the
chart of twelve threat categories from chapter 2 is repeated. The text
makes a point, over several pages, that some assets are threatened only
by specific threats, and some are much more likely to occur. Which ones? The
text asks us to consider which threats are hazardous to our company and
which of those are the most dangerous. It is hard for us to say about a
hypothetical, so let's harvest some opinions.
See the chart on page 289, in which the twelve categories are sorted by their significance as potential problems, as perceived by
surveyed IT professionals. Is this chart meaningful? It is not the
opinion of one author, it is a composite of perhaps a thousand
opinions. Perhaps? The text says over a thousand executives were
polled. It does not say how many responded. The ACM website won't let
me read the article, which is from an eleven year old issue. In fact,
the article was written by one of the authors of our text. It is
available here, and it represents several of the points of this chapter.
On page 290 the text makes the very odd assertion that "detected attacks are decreasing". I remark on this in case any of you read that and actually believed it. This assertion is based on the data presented in the chart on page 290, which may be based on asking the wrong questions. The chart seems to be reporting percentages of successful attacks on organizations broken into categories. I see three problems with this data. First, the data appear to refer to successful attacks, not the total number of attacks. The total number would be more interesting. Second, to be reported, an attack would have to be noticed. What about the ones that are not noticed? Third, what about the companies who choose not to report their losses?
Given the lack of hard data and the large amount of guesswork involved in these estimates, we can only say that the calculation shown in the text for risk assessment (page 295 and page 297) is only an estimate, a relative value that should only be used to rank one risk relative to another. The text refers to this calculation as risk assessment, risk identification, and risk determination. The phrase used in your organization may be one of these or a similar phrase. To use the formula, you first calculate a value for each term: