The business case for information security

In an increasingly connected world where most organisations have some connection to the Internet and many conduct business with their key stakeholders electronically, we have to ask: is our business information at risk? What is the real threat facing UK business? Nick Coleman, Chairman of SAINT (Security Alliance for Internet and New Technologies) and Head of Security Services at IBM, discusses the threat to UK business and how a business case can be built to justify spending on information security.

Is our information at risk? In the US 90 per cent of organisations surveyed detected computer security breaches during the last 12 months, and a staggering 456 million dollars was reported as having been lost by those organisations as a result The most significant area continues to be intellectual property theft, where total losses reported amounted to US$171 million, and the average loss per organisation experiencing these kind of incidents is now some US$6.5 million. With the knowledge that only 503 organisations were surveyed, and only 44 per cent of those organisations were able to quantify their losses, this suggests that total losses for US organisations could run into billions of dollars.

The UK perspective In 2002, the National Hi-Tech Crime Unit (NHTCU) commissioned NOP to undertake a survey of computer crime in UK organisations. This survey, which I helped the NHTCU commission, was based on the FBI/CSI categories of computer crime, and allowed some new comparisons to be made between the US and UK in this area. In the last 12 months alone, over 3,000 incidents of computer-enabled crime were experienced by those UK-based organisations surveyed. The NHTCU survey showed that:

    67 per cent of organisations surveyed had experienced viruses;
    77 per cent had experienced laptop thefts;
  20 per cent had experienced a denial of service attack.

Denial of service attacks are those where the perpetrator repeatedly sends vast amounts of data packets to flood a system or complete network with the intention of degrading performance or shutting it down. Virus attacks were still the most frequently occurring incidents, with 1612 incidents taking place during the last 12 months alone.1 In the FBI/CSI 2002 survey

    85 per cent of organisations surveyed had experienced viruses;
    55 per cent had experienced laptop thefts;
  40 per cent has experienced a denial of service attack.

Before making direct comparisons we need to take into account the differences in sample populations. For example, there were 105 organisations surveyed in this initial NHTCU/NOP survey and 503 organisations surveyed in the FBI/CSI 2002 survey. However, we can see that in the United States 18 per cent more organisations reported experiencing viruses, double the number of US organisations experienced a denial of service attack, and 22 per cent fewer organisations reported suffering laptop thefts.

The cost to UK business The NHTCU survey did not attempt to calculate the losses to UK organisations from these kinds of crime. However, the survey did provide us with some base data upon which certain assumptions can be applied, making it possible to place a figure on how much we might assume was lost by UK businesses from computer-enabled crime incidents during the last 12 months. If we assume that the average loss to businesses in the UK would have been at the same levels as those losses experienced by US organisations, we can estimate the losses to UK business.

Sizing the impact from virus incidents Using this approach, if 67 per cent of the organisations reported experiencing virus attacks in the UK during the last 12 months,2 this would equate to 70 companies. Multiplying this number by the average loss per organisation allows us to derive the total potential loss from viruses for those organisations surveyed. The FBI/CSI survey identified that 428 organisations surveyed experienced a virus incident, but only 188 organisations were able to quantify the costs of such incidents. Among those 188 organisations, the highest loss experienced was US$9 million and the average loss was some US$283,000. Multiplying US$283,000 by 70 gives a total loss for the surveyed organisations based in the UK of some 20 million dollars.

Calculating the total cost to UK business Using the same method for each of the categories of computer crime, we can calculate the losses that might be expected across all categories for the 105 organisations surveyed Totalled together this would equate to US$228 million being lost by the UK businesses surveyed over the last 12 months. However, this figure does need to be treated with great caution, and should not be taken to be statistically significant. The NHTCU/NOP survey only dealt with 105 organisations and was never meant to draw statistical conclusions, and getting to this figure is only achieved when a number of assumptions are made. Furthermore, this calculation may be too conservative.  There were 129 instances of theft of hardware other than laptops. These incidents are omitted from the US$228 million methodology, as we had no information on the average losses for this kind of incident.  63 per cent of organisations surveyed in the FBI/CSI survey of 2002 had 1000 or more employees whereas 82 per cent of those surveyed in the NHTCU/NOP survey had 1000 or more employees.  Larger organisations are expected to have higher losses, and therefore the average loss should be higher for the UK sample having more large organisations, and, if true, this would inflate the US$228 million total loss calculated for UK organisations. Even if this number is not accurate, what we can deduce is that with over 3000 incidents and losses estimated here of some US$228 million for 105 organisations, there is a significant threat from this type of crime in the UK, and organisations need to be prepared for such incidents. But at what level do they need to plan, and how can we calculate the specific threat to one organisation?

Making this specific to one organisation To calculate this, an organisation needs to conduct a formal risk assessment. In doing a risk assessment it is possible to determine, amongst other things, the potential impact of an incident for the organisation, and the probability of that impact occurring. These two figures, when multiplied together, provide one view on the level of threat that exists for those incidents.

Probability times impact The threat level described above (probability the impact will occur times impact) will need to be calculated with data relevant to the organisation’s own environment. Before we look at how this specific data might be calculated, we should look at how a probability times impact model might work. An industry generic example If 20 per cent of UK organisations suffered a denial of service attack in the last 12 months, then the probability of an organisation being attacked is 20 per cent. Assuming that the average company loss for this type of incident is US$300,000 as reported in the FBI/CSI survey 2002, by multiplying the probability of 20 per cent by the average loss US$300,000 for this type of incident we can see that the perceived threat level would be around US$60,000. Reading this, it is clear to a large organisation that a successful denial of service attack would cost the company much more, and this re-enforces the need for information specific to the company in question, something which will be covered in the next section.

Tailoring this model to your own organisation environment Using data specific to your own organisation is essential. For example, does the average loss from the industry reflect the impact that might be felt in your organisation? And how can you calculate the probability without factoring in the specifics of your own organisation and the environment it is operating in?

Calculating the probability of an impact occurring in your organisation To get to this organisation-specific data, let us consider the probability perspective first. What is the probability that incidents will occur in any particular organisation? With over 3,000 incidents occurring in the UK and only three per cent of organisations not having experienced any incidents of computer crime in the last 12 months, you have to start by assuming it might happen to you. At the same time, it is not practical to assume that every incident will affect every organisation. You have to be prepared for all kinds of incidents – but an organisation without a website would not be susceptible to a website defacement, etc. Using a risk assessment process enables the organisation to understand a more realistic probability of an impact occurring. My methodology for doing this takes into account many factors including technologies used, geographical location, security policy etc to calculate a realistic probability that the impact might occur.

Sizing the potential impact on your organisation Looking next at the impact of an incident, how can we determine the potential impact of a denial of service incident or a virus attack on an organisation? It must be said upfront that it is often not possible to completely size the impact that may be experienced in the organisation from, say, a virus attack. However, from our understanding of the cost of down-time in an organisation, we have a base set of categories to work from in order to calculate the impact of an incident These factors allow us to see where the impact might come from. To calculate the impact, we need to understand what assets might be affected by an incident, then calculate the impact that an incident might have upon those assets. There are several types of asset that need to be considered in doing this. Section 5 of the BS 7799: Part 1 Code of Practice for Information Security Management is a good reference on this area if you are looking for an independent source of data. Finally, when it comes to actually sizing the impact, companies often say it is difficult to get data from within their organisation, and if you find the same in your organisation then the average loss figure that the FBI/CSI survey refers to, may be a good starting point. Then over time you can capture information that would validate this figure within your own organisation, determining which assets are likely to be affected and what impact – looking at the categories in Figure 1.1.5 – might be experienced.

Other aspects to consider In the above methodology we have only factored in the negative impact of security breaches; we have not taken into account the fact that making security investments can have positive impacts on the brand, reduce operating costs of a business etc. In building the return on investment (ROI) for an organisation, positive and negative benefits need to be taken into account. The method works in much the same way, multiplying the size of the positive impact by the probability that that positive impact will be experienced.

Forming the ROI case The above method has introduced one way of capturing some numerical information about the level of threat to your organisation. The next step is to decide if that is an acceptable level of risk for the organisation. The organisation needs to make a decision as to whether it wants to accept that risk, or put solutions in place to mitigate that risk. Security programmes, if properly executed, will enable the organisation to reduce the impact and/or the probability of an incident occurring, and it is against this context that an organisation can produce a return of investment case. However, there is always a certain level of residual risk that the organisation has to accept, even after having made its security investments. There is no such thing as 100 per cent security.

Other ways to calculate the ROI to the organisation There are a number of different approaches that could have been demonstrated here but the purpose of this article was to share the new information that has been provided by the NHTCU/NOP survey and to show how it can assist us in building the business case for security. In the work group at SAINT (Security Alliance for Internet and New Technologies) we are considering all these different approaches, and we will publish a White Paper on this subject during 2003 which will cover the different approaches in more detail, including one that is based on BS 7799.

Final thoughts The NHTCU/NOP survey revealed 34 per cent of organisations are spending under one per cent of their total spend on computer security, 46 per cent are spending under two per cent and 22 per cent of respondents were spending between two and five per cent. Given that there were over 3,000 incidents reported by those same 105 organisations in the last 12 months, organisations should perhaps be regularly reviewing their spending levels. Performing regular risk assessments of the kind that I have described here can help you get this process started in your organisation. The author assumes no responsibility regarding the accuracy of the information that is provided herein and use of such information is at the recipient’s own risk. The author provides no assurances that any reported problems may be resolved with the use of any information provided herein. By furnishing information, the author does not grant any licences to any copyrights, patents or any other intellectual property rights. The information and opinions provided in this document are those of the author alone and not necessarily those of IBM or any other organisation that the author is involved with.