Information Security Research Library

In the information security world we face two major types of threats: "noisy" threats which directly interfere with our ability to do business and "quiet" threats which cause real damage, but don't necessarily prevent people from doing their jobs. Noisy threats such as viruses, worms, and spam; attack both networks and systems, and clearly disrupt productivity and business operations. With highly visible (and often very annoying) attacks, it's easy to justify investments to curb their impact. Quiet threats, such as data theft, are far more insidious-- they can go undetected for years. When they are eventually discovered, you may not be able to calculate the material damage the breach has caused.

We need to acknowledge that threats have changed, from noisy to quiet, from the edge of the organisation to the center. We also need to understand that attackers' motivations have changed-- web site defacement isn't the goal; fraud and data theft are. Denial of Service, worms, viruses, and spam are still issues; but these noisy threats are more important as vectors for data theft rather than end goals. This isn't about lost productivity or minor embarrassment, but very real risks to the functioning of the business. The question becomes: How can you assess the risks and adjust spending to focus on the primary threats to the business?

This report focuses on the business side of data security as we build a justification model to help you determine where, and how much, to invest in protecting your information assets. We'll start this report by reviewing why some common approaches fail, discussing their weaknesses, and highlighting common pitfalls to avoid. We then proceed to discuss how to measure the value of information, estimate potential losses from breaches, and gauge the associated risks that cause that loss. Read this report to learn how to implement a model that works for your organisation.