Week 7: Leveraging Users to Assess Risks


As much as we would like to be able to defend every part of our information systems environment to the utmost, at the end of the day organizations have limited resources and we need to prioritize our efforts. An important part of risk prioritization is determining the value of our various assets, so we can put a dollar figure on the threat posed by a given risk. As Whitman and Mattord discuss, we could use our sunk costs to determine the value of a given IT asset or determine the potential cost of replacement of the asset—but it is better if we can determine how much value the asset is adding for the organization and use that in our cost-benefit analysis.

Unfortunately, as IT professionals we know a lot about the costs to create or maintain a given asset or system but are not well-positioned to know how useful the system is at the end of the day. However, our users are much better positioned to know the value of a given asset—and we can leverage them to get that information. This could take the form of using formal organizational processes to generate a dollar figure to justify risk mitigation measures or defending the asset. On the other hand, if we are considering divesting an asset to terminate the risks it poses we could just as easily ask our users directly whether they depend on the asset—and in some organizations, that could turn into a request for the budget to replace or defend the asset.

When IT professionals build better relationships with our users, we not only benefit them by making ourselves more approachable and educating them, we can also benefit ourselves by better understanding how they use the assets we build, maintain, and defend.

Comments

Post a Comment

Popular posts from this blog

Week 1: What is User-Centered Security?

Information technology professionals are familiar with the cycle: we implement strong security measures, but then receive negative feedback from users due to decreased functionality, additional "hoops" they are required to jump through, et cetera. Sometimes users even use work-arounds which can not only circumvent the new security measure but invalidate other aspects of the system's security. As an example for how well-intentioned security measures can backfire, consider the strong password policies that were the industry standard a few years ago. The requirements for high minimum character count, complexity via required character combinations, and regular changes drove many users to circumvent the password-based security entirely by writing their passwords down either physically or in text files. As a result, current NIST guidance recognizes this vulnerability and no longer recommends evaluating password complexity beyond comparing the user's chosen password again...
Read more

Week 9: Selling Security Education, Training and Awareness Programs to Users

I’ve frequently heard users complain to one another about the relevance, timeliness, or applicability of the training they just completed while on a break after a mandatory organizational SETA session. As cybersecurity professionals, we understand that SETA programs are a vital part of an organization’s information security posture. Verizon’s survey of databreaches shows that years of SETA programs are having an effect, helping make users more resistant to the temptation to click malicious links and more likely to report them during security audits. However, these connections are not as obvious to our users, who see SETA content as competing with work activities more tied to their core business functions. There are a few tricks I’ve found to help users take SETA training more seriously. First, by tying information security to the core organizational mission. If you can demonstrate to your users that the impact of the time spent learning about information security benefits the ...
Read more