In this video, Kip Boyle introduces the 0 to 10 scale for information security. Learn about using the 0 to 10 scale to measure information security.
- We need a way to measure information and cyber risk in order to use data to manage it. Because we're taking a managerial approach to our risks as opposed to a very technical one, we'll need measurements that facilitate management thinking and action, and that will open up the door to making useful changes. We also need to be able to measure the true nature of security. Let me tell you what I mean by that. Most people believe you can never have too much money. However, it is possible to have too much security, or too little.
Look at the left side of the diagram. You can see that as we go from left to right along the X axis, we're spending more and more money trying to reduce risk. Notice that risk does go down rather quickly as we begin to manage it. As you move to the right, and enter the green zone, the curve goes lower, and risk drops to an acceptable level. However, as you continue to spend money and add more controls, the risk increases again as you move further to the right and out of the green zone.
Why is that? Well, past a certain point, security gets to be so difficult that people begin to look for ways to go around the controls, which can create a false sense of security for the people responsible for managing risk. In other words, risk managers may be using more resources than are required, and getting a risk level that's much worse than they need in return. I'm sure you've experienced a situation where there was too much security required to get your job done. I've seen remote network access systems that were so secure, it required four separate two-factor authentications to reach your data.
It was so complicated and time-consuming, most people didn't use it, which reduced that organization's productivity, and it caused them to spend a lot of money on a remote access solution that was operating far under capacity. So the challenge with security, as with most things in life, is to find a good balance between protection and usefulness. Now let's create a score key that captures these three security states, and the need to find balance. Starting on the left, the scores zero through four, colored in yellow, represent various levels of insecurity.
From no security at all, to some. The scores five through eight, colored in green, represent a range from minimally acceptable security to fully optimized, and scores nine and 10 represent too much security, which is wasteful of time, money, and morale, just like the remote access solution I mentioned a moment ago. Notice there are five possible scores for insecurity, four possible scores for balanced security, and two possible scores for excessive security.
This reflects my experience that we often need less granularity to measure and improve situations that are too secure instead of those that are not secure enough. Also notice there are only two colors, yellow and green. This is a result of my emphasis on simplicity. What do I mean by that? Well when it comes to risk management, I've noticed people tend to make things complicated, but too much complexity becomes counterproductive to creating clarity, and moving at a brisk pace. After all, cyber risk is already an abstract and difficult thing for most people to understand, especially executives who set priorities and control your budget, so do what you can to keep your risk management work as simple as possible, without getting so simplistic you can't deliver results.
- Goals and components of an information security program
- Measuring and managing information risks
- Reducing risks to an acceptable level
- Using a workflow to organize your work
- Communicating progress with executives and stakeholders
- Demonstrating compliance