Cost vs. Benefit of Securiy
安全控制的成本与效益
Often additional calculations are involved in risk response when a qualitative risk assessment is performed. These relate to the mathematical evaluation of the cost/benefit of a safeguard. For each identified risk in criticality priority order, safeguards are considered in regard to their potential loss reduction and benefit potential. For each asset-threat pairing (i.e., identified risk), an inventory of potential and available safeguards must be made. This may include investigating the marketplace, consulting with experts, and reviewing security frameworks, regulations, and guidelines. Once a list of safeguards is obtained or produced for each risk, those safeguards should be evaluated as to their benefit and their cost relative to the asset-threat pair. This is the cost/benefit evaluation of safeguards.
在进行定性风险评估时,往往会涉及到风险应对的额外计算。这些计算与保障措施的成本/效益的数学评估有关。对于每一个按关键性优先顺序确定的风险,都要考虑到保障措施的潜在损失减少和效益潜力。对于每一种资产/威胁配对(即确定的风险),必须对潜在的和可用的保障措施进行清点。这可能包括调查市场,咨询专家,以及审查安全框架、法规和准则。一旦获得或编制了每个风险的保障措施清单,就应评估这些保障措施相对于资产-威胁对的益处和成本。这就是保障措施的成本/效益评估。
Safeguards, security controls, and countermeasures will primarily reduce risk through a reduction in the potential rate of compromise (i.e., ARO). However, some safeguards will also reduce the amount or severity of damage (i.e., EF). For those safeguards that only reduce the ARO, the amount of loss of a single realized event (i.e., SLE) is the same with or without the safeguard. But, for those safeguards that also reduce the EF, any single realized event will cause less damage than if the safeguard was not present. Either way, a reduction of the ARO and potentially a reduction of the EF will result in a smaller ALE with the safeguard than without. Thus, this potential ALE with the safeguard should be calculated (ALE = AV * EF * ARO). We can then consider the original asset-threat pair risk ALE as ALE1 (orALE pre-safeguard) and the safeguard-specific ALE as ALE2 (or ALE post-safeguard). An ALE2 should be calculated for each potential safeguard for each asset-threat pair. The best of all possible safeguards would reduce the ARO to 0, although this is extremely unlikely.
保障措施、安全控制和反措施将主要通过减少潜在的破坏率(即ARO)来降低风险。然而,一些保障措施也将减少损害的数量或严重程度(即EF)。对于那些只降低ARO的保障措施来说,有无保障措施,单一实现事件的损失金额(即SLE)是相同的。但是,对于那些同时降低EF的保障措施来说,任何一个已实现的事件所造成的损失都会比不存在保障措施的情况下少。无论怎样,减少ARO和潜在的减少EF将导致有保障措施的ALE小于没有保障措施的ALE。因此,应该计算有保障措施的潜在ALE(ALE = AV * EF * ARO)。然后,我们可以把原来的资产-威胁对的风险ALE视为ALE1(或 ALE前),而针对保障措施的ALE为ALE2(或ALE后)。应该为每个资产-威胁对的每个潜在保障措施计算ALE2。所有可能的保障措施中最好的是将ALE降至0,尽管这是极不可能的。
Any safeguard that is selected to be deployed will cost the organization something. It might not be purchase cost; it could be costs in terms of productivity loss, retraining, changes in business processes, or other opportunity costs. An estimation of the yearly costs for the safeguard to be present in the organization is needed. This estimation can be called the annual cost of the safeguard (ACS). Several common factors affect ACS:
-
Cost of purchase, development, and licensing -
Cost of implementation and customization -
Cost of annual operation, maintenance, administration, and so on -
Cost of annual repairs and upgrades -
Productivity improvement or loss -
Changes to environment -
Cost of testing and evaluation
-
购买、开发和许可的成本 -
实施和定制的成本 -
每年的操作、维护、管理等方面的成本 -
年度维修和升级的成本 -
生产力的提高或损失 -
环境的变化 -
测试和评估的成本
The value of the asset to be protected determines the maximum expenditures for protection mechanisms. Security should be cost-effective, and thus it is not prudent to spend more (in terms of cash or resources) protecting an asset than its value to the organization. If the cost of the countermeasure is greater than the value of the asset (i.e., the cost of the risk), that safeguard should not be considered a reasonable option. Also, if the ACS is greater than the ALE1 (i.e., the potential annual loss of an asset due to a threat), then the safeguard is not a cost-effective solution. If no safeguard options are cost-effective, then accepting the risk may be the only remaining option.
要保护的资产的价值决定了保护机制的最大支出。安全应该是有成本效益的,因此,保护一项资产的花费(在现金或资源方面)超过其对组织的价值是不谨慎的。如果反措施的成本大于资产的价值(即风险的成本),该保障措施就不应被视为合理的选择。另外,如果ACS大于ALE1(即由于威胁造成的潜在年度资产损失),那么该保障措施就不是一个具有成本效益的解决方案。如果没有任何保障方案具有成本效益,那么接受风险可能是剩下的唯一选择。
Once you know the potential annual cost of a safeguard, you can then evaluate the benefit of that safeguard if applied to an infrastructure. The final computation in this process is the cost/benefit calculation, or cost/benefit analysis. This calculation is used to determine whether a safeguard actually improves security without costing too much. To determine whether the safeguard is financially equitable, use the following formula:
[ALE pre-safeguard – ALE post-safeguard] – annual cost of safeguard (ACS) = value of the safeguard to the company
一旦你知道了一项保障措施的潜在年度成本,你就可以评估该保障措施如果应用于基础设施的好处。这个过程中的最后计算是成本/效益计算,或成本/效益分析。这种计算是用来确定一项保障措施是否真正提高了安全性,而又不需要花费太多。要确定该保障措施在财务上是否公平,请使用以下公式。
[保障前的ALE-保障后的ALE]-保障的年度成本(ACS)=保障对公司的价值
If the result is negative, the safeguard is not a financially responsible choice. If the result is positive, then that value is the annual savings your organization may reap by deploying the safeguard because the rate of occurrence is not a guarantee of occurrence. If multiple safeguards seem to have a positive cost/benefit result, then the safeguard with the largest benefit is the most cost-effective option.
如果结果是负的,那么该保障措施在财务上就不是一个负责任的选择。如果结果是正数,那么这个值就是你的组织通过部署该保障措施可能获得的年度节省,因为发生率并不保证会发生。如果多项保障措施的成本/效益结果似乎都是正数,那么效益最大的保障措施就是最具成本效益的选择。
The annual savings or loss from a safeguard should not be the only consideration when evaluating safeguards. You should also consider the issues of legal responsibility and prudent due care/due diligence. In some cases, it makes more sense to lose money in the deployment of a safeguard than to risk legal liability in the event of an asset disclosure or loss.
在评估保障措施时,每年因保障措施而产生的节约或损失不应成为唯一的考虑因素。你还应该考虑法律责任和审慎的尽职调查/尽责问题。在某些情况下,在部署保障措施方面的损失比在资产披露或损失的情况下承担法律责任更有意义。
In review, to perform the cost/benefit analysis of a safeguard, you must calculate the following three elements:
在审查中,为了对一项保障措施进行成本/效益分析,你必须计算以下三个要素。
The countermeasure with the greatest resulting value from this cost/benefit formula makes the most economic sense to deploy against the specific asset-threat pairing.
从这个成本/效益公式中得出的价值最大的反措施,对特定的资产-威胁组合进行部署是最经济的。
It is important to realize that with all the calculations used in the quantitative risk assessment process (Table 2.2), the end values are used for prioritization and selection. The values themselves do not truly reflect real-world loss or costs due to security breaches. This should be obvious because of the level of guesswork, statistical analysis, and probability predictions required in the process.
重要的是要认识到,在定量风险评估过程中使用的所有计算方法(表2.2),最终的数值是用来确定优先次序和选择的。这些数值本身并不能真正反映现实世界中由于安全漏洞造成的损失或成本。这应该是很明显的,因为在这个过程中需要猜测、统计分析和概率预测的水平。
Once you have calculated a cost/benefit for each safeguard for each asset-threat pair, you must then sort these values. In most cases, the cost/benefit with the highest value is the best safeguard to implement for that specific risk against a specific asset. But as with all things in the real world, this is only one part of the decision-making process. Although very important and often the primary guiding factor, it is not the sole element of data. Other items include actual cost, security budget, compatibility with existing systems, skill/knowledge base of IT staff, and availability of product as well as political issues, partnerships, market trends, fads, marketing, contracts, and favoritism. As part of senior management or even the IT staff, it is your responsibility to either obtain or use all available data and information to make the best security decision for your organization. For further discussion of safeguard, security control, and countermeasure selection issues, see the “Countermeasure Selection and Implementation” section, later in this chapter.
一旦你计算出每个资产-威胁对的每个保障措施的成本/效益,你就必须对这些数值进行排序。在大多数情况下,价值最高的成本/效益是针对特定资产的特定风险实施的最佳保障。但与现实世界中的所有事情一样,这只是决策过程的一部分。虽然非常重要,而且往往是主要的指导因素,但它并不是唯一的数据要素。其他项目包括实际成本、安全预算、与现有系统的兼容性、IT人员的技能/知识基础和产品的可用性,以及政治问题、伙伴关系、市场趋势、时尚、营销、合同和偏袒。作为高级管理层甚至是IT人员的一部分,你有责任获得或使用所有可用的数据和信息,为你的组织做出最佳的安全决策。关于保障措施、安全控制和反措施选择问题的进一步讨论,请参见本章后面的 "反措施选择和实施 "部分。
| Yikes, So Much Math!呀,这么多的数学!? |
|
Yes, quantitative risk analysis involves a lot of math. Math questions on the CISSP exam are likely to involve basic multiplication. Most likely, you will be asked definition, application, and concept synthesis questions on the exam. This means you need to know the definition of the equations/formulas and values (Table 2.2), what they mean, why they are important, and how they are used to benefit an organization. 是的,定量风险分析涉及大量的数学。CISSP考试的数学问题很可能涉及基本的乘法。最有可能的是,你会在考试中被问到定义、应用和综合概念的问题。这意味着你需要知道方程/公式和数值的定义(表2.2),它们意味着什么,为什么它们很重要,以及它们是如何被用来给组织带来好处。 |
Most organizations have a limited and all-too-finite budget to work with. Thus, obtaining the best security for the cost is an essential part of security management. To effectively manage the security function, you must assess the budget, the benefit and performance metrics, and the necessary resources of each security control. Only after a thorough evaluation can you determine which controls are essential and beneficial not only to security, but also to your bottom line. Generally, it is not an acceptable excuse that the reason the organization did not protect against an unacceptable threat or risk was solely because of a lack of funds. The entirety of safeguard selections needs to be considered in relation to the current budget. Compromise or adjustments of priorities may be necessary in order to reduce overall risk to an acceptable level with available resources. Keep in mind that organizational security should be based on a business case, be legally justifiable, and be reasonably in line with security frameworks, regulations, and best practices.
大多数组织的预算都非常有限。因此,在成本上获得最佳的安全是安全管理的一个重要部分。为了有效地管理安全功能,你必须评估预算、效益和性能指标,以及每个安全控制的必要资源。只有在彻底评估之后,才能确定哪些控制是必要的,不仅对安全有利,而且对你的底线有利。一般来说,组织没有对不可接受的威胁或风险进行保护的原因仅仅是因为缺乏资金,这是不能接受的借口。整个保障措施的选择需要结合当前的预算来考虑。为了将总体风险降低到可用资源的可接受水平,可能有必要对优先事项进行妥协或调整。请记住,有组织的安全应该以商业案例为基础,在法律上是合理的,并且合理地符合安全框架、法规和最佳实践。
原文始发于微信公众号(网络安全等保测评):Cost vs. Benefit of Security Controls
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论