Setting the appropriate level of perception and expectations can be a critical element in ensuring the success or failure of your network infrastructure hardening efforts. If people do not know what they are to expect as a result of the security measures you will be implementing, it is a relative certainty that they will not be pleased with the results. To remedy this, you need to set the appropriate level of perception and expectation of your users by doing the following:
Eliminate user fear.
Earn your users trust.
Communicate with your users.
Find champions .
Setting the expectations of management is another critical element in ensuring the success of your network infrastructure hardening efforts. The reason for this is simple. If management does not buy off on what you are trying to accomplish, you will not be successful. To do this, you should do the following:
Communicate with management.
Earn the trust of management.
Demonstrate the value proposition.
The most effective method to demonstrate the value of implementing security is to perform a risk analysis. The three goals of risk analysis are
Identify the threats and risks.
Quantify the impact of the threats.
Define the balance between the cost of the impact of a threat and the cost of the security measure.
You can accomplish these goals through the use of a quantitative or qualitative risk analysis. You should first assign a value to the asset that you will be protecting. Next you need to estimate the potential loss for each risk and the threats to the assets. This will allow you to determine the overall loss potential for each risk. After that you need to identify the methods to mitigate each risk and then make a determination of whether the risk should be reduced, assigned, or accepted.