Security Objectives

When performing security tasks, security professionals try to protect their environments as effectively as possible. These actions can also be described as protecting confidentiality, integrity, and availability (CIA), or maintaining CIA. CIA stands for

• Confidentiality Ensure that no data is disclosed intentionally or unintentionally.

• Integrity Make sure that no data is modified by unauthorized personnel, that no unauthorized changes are made by authorized personnel, and that the data remains consistent, both internally and externally.

• Availability Provide reliable and timely access to data and resources.

A major security objective is measuring the costs and benefits of security. If you want to measure the cost of securing an entity, whether it is data on networks, data on computers, or other assets of an organization, you need to know something about risk assessment. Generally, the assets of an organization have multiple risks associated with them, such as:

• Equipment failure

• Theft

• Misuse

• Viruses

• Bugs

After you have identified the assets at risk as well as the risks themselves, you need to determine the probability of a risk occurring. Although there are numerous threats that could affect an organization, not all of them are likely to occur in your environment. For example, an earthquake is highly possible if you live close to San Francisco but not if you live in New York City. For this reason, a realistic assessment of the risks must be performed. Research must be performed to determine the likelihood of risks occurring to certain resources at specific places. By determining the likelihood of a risk occurring within a year, you can determine what is known as the annualized rate of occurrence (ARO).

Once the ARO is calculated for a risk, you can compare it to the monetary loss associated with an asset. This is the value that represents how much money would be lost if the risk occurred. The ARO includes the price of the new equipment, the hourly wage of the person replacing the equipment, and the cost of employees unable to perform their work. This value, which provides the total cost of the risk, is the single loss expectancy (SLE).

To plan for the probable risk, you need to budget for the possibility that the risk will happen. To do this, you need to use the ARO and the SLE to find the annual loss expectancy (ALE). To illustrate how this works, let's say that the probability of a web server failing is 30 percent. This would be the ARO of the risk. If the e-commerce site hosted on this server generates $10,000 an hour and the site is estimated to be down two hours while the system is repaired, the cost of this risk is $20,000. In addition to this cost, there would be the cost of replacing the server itself. If the server cost $6000, this would increase the cost to $26,000. This would be the SLE of the risk. By multiplying the ARO and the SLE, you find how much money needs to be budgeted to deal with this risk.