The Curious Case of Asset Valuation
July 22nd, 2009. Published under My Recent Reads. No Comments.
pulled from Google Reader (click on title for original post)
I recently had a discussion with someone about how to do asset valuation for risk assessments. It was a good discussion that prompted me to share with you. The whole concept of asset valuation (as it exists for information security) is predicated on the assumption that acquisition cost is a good constituent factor of security risk. So, how do we evaluate the asset valuation landscape?
Let’s start with our international standard for risk assessments: ISO 27005. There is a relatively lengthy discussion of asset valuation in Appendix B.2 (read here for Alex’s 27005 review). This is encouraging, however the discussion very quickly devolves from “what does it cost to replace this” to what they term “consequences.” Consequences are what happen as a result of having the asset. What does this mean? Well, they offer a list of things that may help (they make a point to let you know this might not be a complete list):
- Interruption of service
- Inability to provide the service
- Loss of customer confidence
- Loss of credibility in the internal information system
- Damage to reputation
- Disruption of internal operation
- Disruption in the organization itself
- Additional internal cost
- Disruption of a third party’s operation
- Disruption in third parties transacting with the organization
- Inability to fulfill legal obligations
- Inability to fulfill contractual obligations
- Danger for the organization’s personnel and / or users
- Attack on users’ private life
…and this isn’t the complete list.
What strikes me as a FAIR practitioner, is that this list is void of any taxonomy. In other words, there’s no categories, just a list of specific types of incidents (that surely isn’t comprehensive). I jotted down a quick mapping to FAIR loss categories and noticed that most map to secondary loss categories, strengthening the Chicken Little security practitioner’s view of the world.
So FAIR practitioner’s are at an advantage when speaking about asset valuation, because we don’t get caught up in the existential discussion about an asset’s “consequences,” and likewise we don’t narrow our focus to just replacement cost. We have our capacious list of loss categories, and we rely on the scenario to help guide our Probable Loss Magnitude discussions. Because asset valuation (per my strict vantage point of replacement only) is myopic, the bigger, more important discussion is what the losses look like. Certainly, these are consequences, but the perspective is different. Instead of listing every possible loss for a given asset, we only estimate the losses for an asset in a given scenario. There may be many scenarios, but funneling our thoughts to the specific saves us from wondering what effect nuclear fallout will have on our database servers.
The six loss categories are great fodder for really interesting discussions that bring the security and risk practitioner closer to the business and this is key: you can get asset valuation from the balance sheet; true business risk often sits in the heads of technical, managerial, and executives in the business. What this means is that risk (and infosec really) needs to be the (or at least a) bridge between IT and the business.