chapter opens with the usual amount of preamble, including an
observation that managers should be concerned about security risks,
regardless of whether they are general managers, IT managers, or IT
security managers. A breach in security can occur in anyone's area of
The text goes on to quote Sun
Tzu (the third quote on the linked page), and to use his observation
that you must know yourself and your enemy as a theme for the chapter.
The quote is from the end of chapter 3 of The
Art of War. It is not accidental that the authors refer to a classic
source that is used as a management text and as a guide for warfare. Their
point is that we must know our assets, know their weaknesses and strengths,
and know the attacks that are likely to occur if we hope to defend against
the attacks. The authors might have quoted the beginning
of chapter 3 to give us more hope. Sun Tzu wrote that "the worst policy
of all is to besiege walled cities". It is our goal in mounting a defense
to present such a wall that the enemy will not waste its effort in an
Is it possible to protect everything we might call an IT asset? Given enough time and money, yes, but we will always have limits on what we can spend, how many staff we can hire, and what time we can devote to the project given what else we are assigned to do. The text devotes much of the chapter to a sequence of processes that lead to a prioritized list of assets which will tell us what we should spend the most effort to protect.
The first process creates a catalog of our IT assets. Note that any list represents only a snapshot in time. The procedures used to create such lists must be available to appropriate staff any time a new asset is added, or an old one is changed or removed. A related process is the one on page 285 that involves assigning meaningful names to assets and recording attributes that are relevant to their use and service. Consistent naming standards need to evolve over time, but they add a lot. Being able to recognize some of an object's characteristics from its name can be very helpful.
The text presents several scales on which assets might be rated to assign
a "value to the organization". It may be that one of the questions
on pages 288 and 289 will be more important than the others to your organization,
but it is more likely that a composite score makes the
most sense if several of the questions apply. In the example on page 290,
five different assets are rated on three factors, each of which has been
assigned a relative importance for this comparison. This leads to a score
for each of those assets that shows its importance relative to the other
four. Note that it might not be fair to compare numbers from this
chart to numbers from another chart that used different
criteria, unless those criteria were of equal importance to the organization.
The text moves on to identifying threats. On page 291, the chart of twelve
threat categories from chapter 2 is repeated. The text makes a point,
over several pages, that some assets are threatened only by specific
threats, and some of them are much more likely to occur. Which ones? The
text asks us to consider which threats are hazardous to our company and
which of those are the most dangerous. It is hard for us to say about
a hypothetical, so let's harvest some opinions.
See the chart on page 293, in
which the twelve categories are sorted by their significance as potential
problems, as perceived by surveyed IT professionals. Is this chart meaningful?
It is not the opinion of one author, it is a composite of perhaps a thousand
opinions. Perhaps? The text says over a thousand executives were polled.
It does not say how many responded. The ACM website won't let me read
the article, which is from an eleven year old issue. In fact, the article
was written by one of the authors of our text. It is available here,
and it represents several of the points of this chapter.
On page 292 the text makes the very odd assertion that "detected attacks are decreasing". I remark on this in case any of you read that and actually believed it. This assertion is based on the data presented in the chart on page 293, which may be based on asking the wrong questions. The chart seems to be reporting percentages of successful attacks on organizations broken into categories. I see three problems with this data. First, the data appear to refer to successful attacks, not the total number of attacks. The total number would be more interesting. Second, to be reported, an attack would have to be noticed. What about the ones that are not noticed? Third, what about the companies who chose not to report their losses?
Given the lack of hard data and the large amount of guesswork involved in these estimates, we can only say that the calculation shown in the text for risk assessment (page 301 and page 303) is only an estimate, a relative value that should only be used to rank one risk relative to another. The text refers to this calculation as risk assessment, risk identification, and risk determination. The phrase used in your organization may be one of these or a similar phrase. To use the formula, you first calculate a value for each term: