If you’re a gamer you surely recall Sony’s huge network security breach in April of this year. As many as 77 million registered Sony PlayStation Network users fell victim to compromised account details, logins and online IDs.
According to PCWorld, Sony announced that user information including name, address, country, e-mail address, birth date, PlayStation Network/Qriocity password and login, handle/PSN online ID, PSN purchase history, billing address, password security answers, and possibly even credit card information was stolen.
Talk about a PR nightmare!
To prevent a breach of your own system, the Wall Street Journal has worked out the following 4 step approach:
Step 1. Estimate the potential loss from a security breach for each of the company’s various sets of information. For starters, it’s useful to simply categorize information sets as having either Low Value, Medium Value or High Value.
Step 2. For each set of information, estimate the likelihood that it will be stolen, by examining the probability of an attempt to steal the information and the vulnerability of the information to attack. Again, broad categories are useful: Designate each set of information as either Low Threat/Vulnerability, Medium Threat/Vulnerability or High Threat/Vulnerability.
To combine the two factors, assign each a numerical rating—say, on a scale from 1 to 10—and multiply the two numbers by each other.
Using that scale, you might consider any combined ranking below 30 to be Low Threat/Vulnerability, and any ranking above 70 to be High Threat/Vulnerability; different people will draw those lines in different places.
A key point: Information that is highly vulnerable to attack but unlikely to interest a hacker (think of a banged-up old subcompact parked with the keys in the ignition, in a high-crime neighborhood), or that is very attractive to a thief but is very well protected (a brand-new luxury car on the White House grounds), would fall into the Low Threat/Vulnerability category.
Step 3. Create a grid with all the possible combinations of the first two steps, from Low Value, Low Threat/Vulnerability up to High Value, High Threat/Vulnerability. Then plot each set of information on the grid. This gives a clear view of where the greatest potential losses lie—not just in terms of the cost of a breach, but also in terms of its likelihood.
Step 4. Focus spending where it can reap the largest net benefits—where a given amount of money will produce the biggest reduction in potential loss.
Security investments should continue to be made as long as the incremental benefits are greater than the incremental costs—which usually stops being the case where the costs are roughly one-third of the total expected loss from a security breach.