What is the goal behind calculating assets in ISO-27000?

My friend and colleague Gary Hinson said about asset valuation in ISO-27000

So, for instance, it’s hard to say exactly how much the HR database
is worth, but it’s a fair bet that it is less valuable to the
organization than the Sales and Marketing database containing
commercial details on customers and prospects. Therefore, it
probably makes commercial sense to put more effort and resources into
securing the S&M database against disclosure incidents, than for the
HR database.

While Gary is ‘classically’ right, there’s a hidden gotcha in all that.

It is *YOU* that are assigning value, it is the value to YOU.
As Donn Parker points out, this may be quite different from the the value system of the attackers. You don’t know their values, motivations, tools etc etc etc.

Suppose you value your database at $1M. Suppose from the outside it looks like its only worth $100K. Yes but suppose there are 1,000 hackers trying for it.

This is why the Classical Risk Equation introduces the term ‘Threat’.

What we are doing here is trying to calculate RISK. Valuation of assets is just part of it, not the end objective.

I can give the example of 1,000 hackers after a database but Donn makes it clear that *we don’t know*. It might be that they think the the database is work $10B and presume that it must be so heavily defended its not worth trying. Remember, that they think and what you think aren’t the same.

Sometimes I think that Game Theory is more relevant than Statistics.

Joshua Corman, director of security intelligence at Akamai, argued that while almost every enterprise attempts to develop security metrics for its environment, these approaches are more akin to “numerology” than hard science.

“Collecting data and numbers to try to develop actuarial tables for
security just doesn’t work because the problem space just isn’t like
that,” Corman argued. “Information security is less about actuarial
tables and more about game theory.”

Here are a few more articles on Game Theory:


Note that in the game of FlipIt, the defender doesn’t know that the
attacker has made a move. (see slide #47)

Do note that against many classes of attack in this game, the optimal
defence is to either “Do Nothing” or only “Plan Intermittently”.

Gary often gives an important tip:

Try not to clarify and not lose sight of your goal
otherwise you will find yourself cast adrift a vast
sea of numbers and no idea where you were heading

Indeed! And there are also issues of Governance that amount to Diligence. Even if its futile, its Accepted Industry Practice and in various courts you will need to show diligence.

Enhanced by Zemanta

About the author

Security Evangelist

Leave a Reply