Saturday, November 24, 2007

5 axioms of Information Security

1. Threats will always follow the path of least resistance.
2. Security is only as strong as the weakest link.
3. As a general rule, attackers are lazy.
4. Reasonable effort will deter 95% of all external attacks.
5. Once you are perceived as a “trophy”, items 1–4 no longer apply.

The term “trophy” is used as a euphemism to indicate that the organization is now perceived as a desirable target by the elite and most resourceful of attackers. History suggests that it does not take much to call attention to an organization and put them on an attacker’s ‘radar’. A press release or a new deal that gets a lot of attention in the press are all possible stimulus for an attacker to begin poking and prodding around an organizations internet exposure. The motivations of these attackers are outside of the scope of this document but needless to say money, prestige and recognition among their peers are at the top of the list.

Every organization is required to adapt to changes within their respective risk/threat climate. It is also clear that every organization has a risk threshold; the level of tolerable risk where threats are consistent with client expectations and business objectives.

As a proactive step towards addressing these concerns, your organization needs to take the time to both understand and document the current level of acceptable risk. Only when the current level of acceptable risk is known and communicated throughout the organization can risk mitigation measures be formalized and effectively implemented.

The 5 axioms of Information security clearly indicate that the risk/threat climate for any organization can change very quickly (even overnight) and if not prepared, an otherwise successful organization can be blind-sided by these changes.

It is imperative that the organization’s risk threshold be prepared for these events.

The importance of forethought and planning in terms of risk exposure cannot be over emphasized.