1 comment for “Infosec Risk Management (graphic)

  1. LongTabSigO
    February 26, 2016 at 9:39 am

    I staffed this graphic with my work colleagues in a Cyber Defense unit. Our Tech Director offered this feedback:

    I would argue that the formula can be improved upon in that there is a
    denominator for Impact as well. There are system design aspects that are
    specifically meant to minimize the impact an actor can have assuming they
    managed to break (past) countermeasures. For example, network segmentation,
    encrypting data at rest, IP randomization technology, virtualization, etc.
    Those are not “countermeasures”, they aren’t designed to mitigate specific
    “vulnerabilities”, and they aren’t standard security controls, but they are
    meant to limit “impact”.

    It is one of the fundamental weaknesses in our existing architecture, we
    continue to bolt on “security appliances” to enable near real-time
    countermeasures, but once those countermeasures are defeated, we are soft and
    gooey on the inside. We have not invested in the fundamental architectural
    changes necessary to limit impact. You cannot defend the un-defendable. It
    would be akin to building ships with no watertight integrity and then bolting
    on rubber bumpers in the hope that inbound missiles would merely bounce off
    the ship. However, if one of the bumpers is breached, down goes the ship.

    So I propose:

    {T x V} x I
    R = ——- ——-
    {C – O} x {A – D}

    Where A= Architecture and D + Design Cost

Leave a Reply