Securing a Security Budget: Probable Threats vs. Describable Threats

Oct. 27, 2008

One of the greatest challenges for any security professional is to convince management to provide an adequate budget to protect corporate assets. One of the more recent trends in the industry is to provide management with a calculated return on security investment based on various formulas that are currently being circulated. Proponents of this concept feel that security threats and risks can be quantified, allowing security professionals to provide hard figures to justify security expenditures. Naysayers feel there are too many variables present that prevent the ability to accurately quantify risks and threats.

Although some formulas can be helpful in showing how security investments may impact the bottom line, there are other methods that can be beneficial as well. One method that can prove helpful is to focus on the probable threats to a business instead of the describable threats. Attending a security conference of any size would frighten any executive management team. Presentations are provided on all possible threats and risks to businesses in every industry. From the material provided, it would appear that all is lost-businesses are under attack constantly and from all directions. From a management perspective, the threats are overwhelming and confusing.

Instead of describing all possible threats to a business, it is prudent to present the probable or most likely threats to a particular business or industry. If a management team is approached in this manner, they are more likely to free up resources for security implementations, since they can see they are protecting themselves from specific threats.

The Disney Probable Threat Model
One good example for dealing with a probable threat is the preparation of a business or community that lies in the direct path of a hurricane. Unlike a tornado, a hurricane's path can be determined with a fair amount of certainty, allowing ample time to prepare for the storm. I had the unique opportunity of watching preparations for Hurricane Charley while vacationing in Florida this past August. Although I would not recommend placing your family in the path of a hurricane as part of your vacation plans, it is an experience that is not easily forgotten. I had taken my family to Orlando for what my children determined was a long-overdue trip to the Disney theme parks. On Thursday, August 12, it was apparent that Hurricane Charley was going to hit the southwest Florida coast the next day. I began wondering whether the hurricane would threaten my family. It initially appeared that the hurricane would hit Tampa and proceed northeast, missing Orlando. However, upon waking on Friday, we saw a report that the hurricane would in fact make landfall near Punta Gorda, about 100 miles south of Tampa. With its northeasterly route, it looked as if we were directly in the path of a powerful hurricane. The management at Disney thought that the threat was so probable that they opened only three of their four parks that day, and closed them all at 1:00 pm. When we arrived at Epcot Center, preparations were underway for the impending storm. The vendor carts were not in use and were being secured in place using strong straps that were bolted to the concrete. Chairs and other furniture were being stacked and secured. Many cloth awnings were being removed. There was a great deal of activity, little of which had to do with the guests' entertainment. By the time we left for the day, the ticket booths were wrapped with plastic to protect the windows.

We went back to our Disney resort hotel room to see what would happen next. We watched the news and could see the progress of the storm as it moved closer to Orlando. The weatherman was predicting when the storm was going to reach particular communities. The storm hit Orlando at approximately 9:00 pm. As it moved close to the hotel, we moved away from the windows and spent about 30 minutes in the bathroom. We survived the hurricane, but what about Disney? Saturday morning three of the four parks announced they would be open all day. We headed back to Epcot Center, where it was business as usual. There were only a few signs that a hurricane had passed through; the monorail was not running, and a handful of trees had been uprooted. But the vendor carts were in use, the ticket booths were in use with no damaged glass. Did Disney management make the right decisions regarding the hurricane? Absolutely. Why? Because they focused their energies on protecting their facilities, their employees and their guests from a probable threat.

Local Threat Tracking Resources
A hurricane is a clear example, but what about other, less obvious threats? Can they be tracked in a similar fashion? Absolutely. Current trends and threats are tracked, monitored and reported by numerous groups and organizations. Local groups can often be the best source of information because they can address the most immediate concerns.

In the Kansas City metropolitan area there is a group called ASAP, the Association of Security and Police, which meets monthly to discuss current crime and security problems that local law enforcement and private security professionals are encountering. For example, if vehicle break- ins are on the rise in a particular part of town, businesses in that area of town can direct additional resources at protecting company parking lots. They can dedicate these resources because they are aware of probable threats in their area. Other information that is passed along includes descriptions of individuals that are wanted by the police for various crimes. All of the information that is shared by this organization allows security professionals to be aware of the most current threats in the metropolitan area.

A security director can present this information to management when requesting resources for the security department, and management is more likely to listen because the threats are credible and identifiable. Approaching management with a generic list of threats is counterproductive, and can make any security professional appear to have a Chicken Little approach to security. Yes, there are numerous threats to any business, but practical businesspeople will only release funds for security if they recognize that the expenditure will directly and immediately protect the business from a loss.

InfraGard
Local organizations are helpful in disseminating information regarding local threats, but where can security professionals learn of national and international threats? One valuable source is the FBI-sponsored InfraGard organization, which began in 1996 to facilitate local and national information sharing. According to the InfraGard Web site, its objectives are as follows.

  • Increase the level of information and reporting between InfraGard members and the FBI on matters related to counterterrorism, cyber crime and other major crime programs.
  • Increase interaction and information sharing among InfraGard members and the FBI regarding threats to critical infrastructures, vulnerabilities, and interdependencies.
  • Provide members value-added threat advisories, alerts, and warnings.
  • Promote effective liaison with local, state and federal agencies, to include the Department of Homeland Security.
  • Provide members a forum for education and training on counterterrorism, counterintelligence, cyber crime and other matters relevant to informed reporting of potential crimes and attacks on the nation and U.S. interests.

InfraGard provides its members with daily reports regarding current threats. In addition, members are encouraged to share information with each other regarding security issues or breaches they have encountered. To provide a secure environment where members feel comfortable exchanging information, InfraGard conducts background checks on all members. Since this organization provides information on threats in a timely fashion, it seems odd that in eight years it has amassed only 13,512 members. It would appear that this resource is significantly underused by the security industry. It seems logical that more security practitioners would become members, because what better way to demonstrate credible threats than to pass along information to management that has been disseminated by the FBI? To learn more about InfraGard visit www.infragard.net.

RSS Online
There are numerous other methods for identifying and tracking probable threats. One of the newest mechanisms for tracking news regarding threats and vulnerabilities is to subscribe to various RSS services. RSS, or really simple syndication, provides the opportunity to receive news stories and alerts from varied sources and have them consolidated in one place. It eliminates the task of searching numerous Web sites for relevant information. It is a time saver and an excellent tool.

To take advantage of RSS feeds you need an RSS aggregator, which can be found either as a standalone application or as a plug-in for your Web browser or e-mail client. Two popular downloadable aggregators are BottomFeeder (www.cincomsmalltalk.com/BottomFeeder) and Pluck (www.pluck.com). Several channels that might prove helpful include

To learn more about the how to use RSS feeds, read "Tech Guide: How to Read RSS Feeds," which can be found at tinyurl.com/6sy4h.

Prioritize and Communicate
As you start cultivating resources for pertinent information regarding current threats and issues, you may run into information overload. As an example, while researching this article I got caught in the Alert Zone-I spent more time reading alerts and headlines than actually writing the article. It is important to have mechanisms in place to prioritize the threats, especially if your firm has limited resources. Start with local alerts and advisories. If businesses in your area have encountered attacks or problems, chances are your business is at risk.

Cultivate working relationships with other individuals in your industry, including competitors. Learning that your industry has suddenly become a target can be extremely useful in determining probable threats. Once local and industry resources have been checked, reach out to resources like InfraGard that address issues that directly impact the national infrastructure. If there is a threat to the power grid in your area, it might be time to review business continuity plans. Check other sources as you find them.

Keep in mind that you will still have to evaluate the threats before presenting them to management to support the need for additional resources. Always use probable threats, not possible threats. A creative mind can come up with numerous threats that could possibly happen, but in all likelihood will never cause a business problem. Yes, it is possible for a commercial aircraft to crash into a one-story building in rural Kansas, but the chances are so small as to be insignificant. In the eWeek article, "Don't Freak out over E-Jihad" Larry Seltzer states the issue succinctly: "Unless you're a specific target, it's not worth focusing on unsubstantiated general warnings. The world is full of threats" (tinyurl.com/4z36p).

The ability to track probable threats only exists when people report problems they have discovered or suffered through. This means that many security professionals are willing to share their experiences and often their mistakes for the greater good of protecting the national infrastructure. This is extremely beneficial. If you are willing to learn from others, consider sharing your experiences so that others can help identify probable threats.

John Mallery is a security consultant specializing in the practical application of computer security and digital forensics. He can be reached at [email protected].