Risk and cost - mapto/sprks GitHub Wiki

A security policy results both in security risks and security costs.

Risks

The organisation is exposed to a generic list of risks. Each specific policy predetermines certain probability of each risk to occur.

Currently planned risks are:

  • guessing/breaking credentials/password
  • stealing credentials/password
  • circumvention of authentication mechnanism (i.e. interception of data)

Each of these is defined by incidents in (https://github.com/mapto/sprks/tree/master/static/incidents). From the incident description derive generalized training sets: (https://github.com/mapto/sprks/tree/master/static/data) The machine learning algorithm (currently Support Vector Classifier (http://scikit-learn.org/stable/modules/svm.html)) interpolates the training set to a model. Notice: when different incidents suggest conflicting values for a certain datapoint from the training set, SVC collapses them into an average value. For each risk the model suggests closest incident (class from training dataset). The system compares them and returns the largest of these. In future will return all of them.

Risks also have possible impact. This is a range of possible costs of the risk occurring.

The current cost of risk is its expected value, which is probability x impact. This is currently not calculated by the system.

Cost

Currently we calculate productivity cost as defined in function calc_prod_cost in simulation.

The combination of policies has a cost.

This cost has three components

  • direct costs - How much does it cost to implement the policy? This is a specific value for each policy feature. Typically password policies don't have a cost of implementation, as they are only a matter of changing system configuration.
  • maintenance cost - How much to maintain the policy? The only feature of the password policy is salaries of manned staff in case password recovery is not automated.
  • indirect costs
  • productivity cost - this is calculated according to a clear formula (see related studies in Dropbox)
  • compliance cost - this is similar to productivity cost, but less clear. That's why it might be also estimated by a machine learning algorithm.

Costs to be represented

  • Immediate cost of policy configuration, risk/incident occurrence or intervention.
  • Maintenance cost of policy configuration or intervention
  • Compliance cost of policy configuration or intervention