A Brief Lesson in Balancing Risk

In light of the recent Epsilon data breach, it seems appropriate to chat briefly about the realities of balancing information risk. First and foremost, we need to make sure that we understand this thing called “risk.” In our context, risk is defined as “the probable frequency and probable magnitude of future loss” (based on Jack Jones’ FAIR definition). Put into practical terms, risk is the likelihood that we’ll experience a negative event. We then balance that out against the cost of defending against various scenarios (i.e., trying to reduce or transfer that risk), with the goal being to optimize cost vs. benefit. Let’s look at a couple practical examples.

Changing Deadbolts

I’ve been having trouble using the key to my front door deadbolt. I don’t know if the lock has been bumped in the past, or if it’s just wearing out, but the key simply hasn’t been working very well. As such, I decided this week that it was time to replace the locks. Since I’m a security professional with some exposure to lock picking pros, I thought I’d ask around and see what would be recommended.

In looking at locks, it became clear that, with one exception, all the ANSI Grade 1 residential deadbolts at Lowes were approximately the same cost. The next question then became: how much is it worth spending on these new locks? Should I be investing in the most expensive locks? I asked around the office and was given some very good advice. Here are two of the questions posed:

1. Do I have ground-floor windows? If so, then a determined attacker is going to get into the house with relative ease, so investing in an expensive lock isn’t likely all that important.
2. Do any of the locks have double pins? That is, does the key have teeth on both sides? In looking at the locks, they were all equivalent in using 1-sided keys. Thus, they’re all potentially bumpable.

Conclusion: There was not necessarily an appreciable difference in lockpickability. All of the ANSI Grade 1 residential locks seemed to have the same basic features, all claimed to be “bump resistant,” and all of them used single-sided keys. Moreover, since there are ground-floor windows that are readily accessible (or kickable), the law of diminishing returns kicks in pretty quickly. According to the hardware attendant at Lowes, the keys were ordered on the shelves from most to least “secure” (meaning, hardest to easiest to break). Only the high-end locks were more expensive, with parity among the others. As such, I chose the most “secure” lock in the common price range.

The Epsilon Data Breach

The big story of the week has been the data breach at Epsilon, which has impacted dozens of their customers and exposed thousands, if not millions, of email addresses. It’s unclear what all has been compromised (email address plus…? names? correlation to branded customer? other?). There’s been a lot of hype in the news about the breach, but in the end the overall change in the risk landscape seems to be nominal. Are you more likely as a result of the breach to receive spam or phishing emails? Maybe, though statistically the change will likely be nominal. Are you more likely as a result of the breach to be the target of a spearphishing attack? In this case, the answer may be “yes,” though, again, we don’t really have enough details to be certain. More likely is the scenario that spam and phishing emails will pose as coming from one of the victim clients of Epsilon. However, these companies are already being used/abused in this manner.

We’ve also heard some interesting chatter from talking-head security people damning the world for things like using a single email address across multiple services. In this case, it’s quite unclear what their point is, since the entire database was presumably compromised. On the one hand, I suppose it implies that you can more easily detect an attack if an email address used for one vendor receives a spam/phishing email purporting to be from a different vendor. However, at some point the amount of additional complexity incurred by managing all these various email addresses grossly outweighs the risks (that is, having multiple email addresses does not seem to increase or decrease the likelihood of a negative event impacting your life).

Conclusion

In both of these examples, one may initially think that the maximum effort should be deployed to reduce “risk.” However, in both cases, through a bit of simple risk analysis, we see that the actual impact to estimated risk by a specific control (e.g., deadbolt, email address diversity) is nominal. We should also practice this type of analysis when considering “security” decisions as we may be surprised by the results. This practice should become a hallmark practice in enterprises, especially when large-scale projects like DLP, GRC, or cloud computing are being considered.