1.3 What Is the Cost of Lax Security Policies?

There are really two costs involved with lax network security: quantitative and qualitative. Quantitative costs, the ones most often discussed, are those that have the most immediate impact on the corporate bottom line, but qualitative costs can be just as important to a company in the long run.

According to The Yankee Group , network attacks accounted for $1.2 billion in lost revenue in 2000. That number doubled in 2001, and is expected to double again in 2002. Lost revenue is an example of a quantifiable cost of a security incident.

There is no universal formula to calculate the quantifiable costs of a network attack. There are, however, some commonalities that you can use to help develop your own, internal, formulas.

Some of the costs are easy. If you have an e-commerce site that is interrupted by a DDoS, or an attacker manages to gain entrance to one of the servers, forcing you to take your website offline for X number of hours, then one of your quantifiable costs will be the amount of revenue lost during that time. If your site normally generates $100,000 an hour , and it was offline for six hours, then one of your costs was $600,000.

Loss of revenue is not the only quantifiable cost. If it took you six hours to restore the website from backup and rebuild the database, then time becomes a quantifiable cost, as does the time spent researching the incident and reporting it to the proper authorities. There is also the cost involved in implementing a security fix, so a repeat attack cannot happen.

In addition to time, it is necessary to calculate the lost productivity of other groups within your company. If a design team made changes to the site after the last backup, then their changes will all have to be redone; their time is another quantifiable cost.

Qualitative losses are more difficult to measure, but can be just as important, and increase with the severity of an attack.

Using the example of an e-commerce site again, if someone were to force the website offline, in addition to the outlined quantitative costs, there are several qualitative costs. The most obvious is the loss of future customer revenue, and, depending on the severity and length of the attack, the loss of customer confidence.

If a customer cannot get to the site, he or she visits a competitor's site, has a good experience, and not only is the revenue lost, but future revenue may have been lost as that customer may continue to visit the competing site. If the attack is particularly successful, an attacker may gain access to your customer database, which is often enough for the attack to make the news. Now, on top of the potential loss of future revenue, other customers may not feel comfortable returning to the site, and potential customers may never shop at the site. There is also the added, quantifiable expense of hiring a public relations firm to deal with the problem.

A final qualitative cost is the loss, or delay, of future revenue from projects that were put aside because of the time spent dealing with an attack. If six hours is spent restoring a compromised system, that puts at least a six-hour delay on other projects. If the majority of time is spent dealing with security issues other projects may face an indefinite delay or cancellation. The revenue that would have been gained from those projects is now lost.

1.3.1 The More Severe the Attack, the Greater the Cost

It may seem like an obvious statement, but it is important to remember. The more severe an attack is ”the further an attacker is able to penetrate into your network ”the greater the cost, both in terms of qualitative and quantitative expenses.

A successful attack against one e-commerce website is relatively trivial, compared to more extensive attacks.

As mentioned earlier, an e-mail worm can paralyze an entire network, to the point of having to shut down e-mail servers and even force a company to disconnect from the Internet. Such an attack can cost a large company several million dollars in lost time and productivity.

Undoubtedly the most expensive attacks against a company are those that compromise data confidentiality and integrity. The compromise of confidential data, such as an e-mail system, corporate intranet, or a customer database can have long- term negative consequences. An attacker who gains access to these tools may not disrupt your network, but will have proprietary information that can be sold to competitors , or used to try to blackmail the company. If this attacker is discovered days, weeks, or even months after he or she has gained this level of access to your network, the cost to track down how the network was breached, and to find all of the security holes, can be extraordinary. Not only will you have to plug the initial security hole, but also each server and network device will need to be thoroughly audited to determine if the intruder left any trapdoors that would allow easy entry back into the network.

Data integrity attacks occur when an attacker gains access to ”and modifies ”confidential data. Sometimes the modifications are puerile and juvenile, such as defacing a website. Unfortunately, if an attack is targeted specifically to your company, data modifications can be more subtle, and their ramifications greater.

It is almost impossible to calculate the costs of a data integrity breach. Having to audit an entire customer database or verify the validity of confidential customer information can cost millions, not to mention the other costs normally associated with these attacks.

Data confidentiality and integrity attacks bring in the possibility of two new costs associated with security breaches: lawsuits and fines . If confidential information about the customer database or dealings with other companies is leaked, an organization may be open to a lawsuit. Even if it can be demonstrated that reasonable security measures were taken there are still legal costs associated with the lawsuit, as well as the aforementioned negative publicity and loss of customer confidence.

Depending on the type of data that is breached, a company may also be fined by the government. There are several bills before the United States Congress that would fine companies that do not meet minimum standards for network security. Some of these bills would allow companies to be fined up to $1 million if their networks are successfully breached.

1.3.2 Creating the Formula

Creating a company-specific formula that will help measure the cost of an attack is essential. If an organization is going to be able to implement a new security policy, you have to be able to show that the cost of not implementing it is greater than the cost of implementing it.

Again, it is important to keep in mind this formula should not be created by one person or group. The CIO, working in conjunction with senior managers from all departments, should develop the formula jointly.

The formula will vary depending on the type of attack for which the organization is trying to determine the cost. The best bet is to try to divide attacks into broad categories. In Chapter 2 common attacks will be covered in detail. For now, divide attacks into four categories:

1. Network attacks: Attacks not directed toward a server, such as DDoS attacks.

2. Worms: E-mail or web-based programs that travel from computer to computer on your network.

3. Attacks on peripheral servers: Attacks on servers that do not contain core business data.

4. Attacks on core servers: Attacks against servers that contain data that is essential to a business.

More categories can be added, or unnecessary categories can be deleted, depending on the needs of a business. (For instance, some organizations may want to add a category that specifically deals with an e-commerce site.) After categories have been created, the next step is to develop a basic cost structure for each category.

DoS attacks are a good example. If you have a firewall, or routing policy, that will block DoS attacks, then your costs would be limited to productivity losses from not being able to connect to the Internet while the attack was ongoing. If a routing policy that will lessen the impact of a DoS attack is not in place, productivity loss incurred while the network is unavailable may have to be factored . If a company generates revenue from the website, and it is located in a data center within the facility, then a DoS attack will cause loss of revenue from the website.

For each category created the goal is to develop as many fixed costs as possible. If it is known that it costs the company $100,000 an hour for every hour the website is down, that is a number that can be repeatedly factored into loss equations. If the company loses $90,000 an hour in productivity when the mail server is unavailable, that is also a fixed cost. Often, these numbers will be readily available from the appropriate departments.