Ian D. McKinnon (2008) Tigger team -- a novel methodology to manage business risk.
Full text access: Open
Security is hard. Security is expensive. Security negatively impacts business function. All of these are bad, but far worse is the difficulty of measuring the effectiveness of security. IT security over the last decade has become increasingly visible and important to a broad range of businesses. At the beginning of this period the response to IT risk was predominantly focused on technical prevention. Gradually this has evolved into a more business-oriented approach to risk management. This change has come about largely because of the perception that the technical approach to security provided too narrow a view of risk, failed to engage effectively with business and was failing to deliver benefit. This paper explores a number of the fundamental difficulties that hamper the delivery of effective IT security. It also examines some of the difficulties created because of the conflict between the goals of security and those of business. This paper describes a methodology that attempts to minimise the impact of a number of these difficulties. The primary goal of this methodology is to provide business with clear justification to support IT security activities and to demonstrate an adequate return on investment. The methodology proposes the development of offensive and defensive capabilities within an organisation, in order to identify and manage both contextualised business risk and generic technical risk. The defensive capabilities act as both a control and a deterrent, but most importantly they provide concrete evidence of loss, which can be used to justify future activities. The offensive capabilities allow the business to refine an understanding of their specific risk, rather than generic risk. In addition they also allow realistic testing of the defensive capabilities through simulated attacks. The methodology is cyclic and as it progresses the understanding and management of risks specific to the business should evolve. This will allow security to address increasingly remote and esoteric risks, until it is no longer possible to economically justify deploying mitigation. When this stage is reached the risks will be sufficiently small to fall within the business's risk appetite. The monitoring process should identify exploitation of these risks but no controls would be deployed because they would be uneconomic.
This is a Published version This version's date is: 15/01/2008 This item is peer reviewed
https://repository.royalholloway.ac.uk/items/37386303-a2b7-b9f9-4116-ad17fd898365/1/
Deposited by () on 28-Jun-2010 in Royal Holloway Research Online.Last modified on 15-Dec-2010
1 Shon Harris – CISSP Certification – McGraw-Hill/ Osborne 2003
2 Bruce Schneier - Secrets & Lies - John Wiley & Sons 2000
3 M. E. Kabay – Salami fraud - Network World Security Newsletter, July 2002
4 HMG – Data Protection Act – HMSO 1998
5 Matthew Eberz - Protecting Company Data through Data Seeding, an analysis ofPersonal Data - Tech-I LLC August 2004
6 Dorothy E. Denning - Information Warfare and Security - Addison-Wesley 1999
7 http://info.sen.ca.gov/pub/01-02/bill/sen/sb_1351-1400/sb_1386_bill_20020926_chaptered.html - February 2002
8 Jonathan J. Koehler, Laura Macchi - Thinking About Low-Probability Events. AnExemplar-Cuing Theory - Psychological Science Vol. 15 Issue 8 August 2004
9 Fischer Black and Myron Scholes - The Pricing of Options and Corporate Liabilities -Journal of Political Economy, 81:3, 1973
10 BSI – ISO/IEC20000-1 IT Service Management – BSI 2005
11 Adrian Davis - Return on security investment – proving it's worth it – ISF December2005
12 Peter Howard – Lecture notes: GSM and UTMS security – Vodafone 2007
13 http://www.binrev.com/forums/lofiversion/index.php?t28559.html - 2007
14 The hive mind - Sarbanes-Oxley Act – Wikipedia 2007
15 John Leyden - http://www.theregister.co.uk/2007/08/16/tjx_charges/ - The Register2007
16 Richard Walton - Cryptography and Trust - Information Security Technical Report IIElsevier 2006
17 Bruce Schneier - Applied Cryptography - John Wiley & Sons 1996
18 Bruce Schneier - Beyond Fear - Copernicus Books 2003
19 BSI – BS7799 Information Security Management – part 1& part 2 – BSI 1995
20 BSI – BS9001 Quality Management System – BSI 2000
21 Aleph One [pseudonym] – Smashing the stack for fun and profit – Phrack 7(49):14November 1996