InfoSec 2011: Can risk be measured in monetary terms?

Experts are divided over the merits of basing risk mitigation policies on monetary impact assessments

A monetary value should always be allocated to risk if IT departments want an effective information security strategy, according to a security chief speaking at InfoSec in London earlier today.

Michael Colao, head of information security at insurance firm Beazley, who was speaking at the conference, explained that if you have a monetary value for each of your risks then it makes a decision on whether or not to secure that risk much easier.

"Let's take the example of a risk that, according to industry standard statistics, is likely to result in a lawsuit once every five years," said Colao.

"Now to make that lawsuit disappear, it will cost the company £50,000, which means the actual cost of managing the risk is £10,000 a year," he added.

"So if I was offered a product that reduced my risk by 10 per cent per year, and it cost me £1,000 a year, then I should buy it. Anything more than that, and it isn't worthwhile to the company."

However, Wendy Nather, senior analyst for the 451 Group, said that while this approach might work in the insurance business, it would be completely useless in the public sector.

"In the public sector there are huge losses that have nothing to do with money," said Nather.

"How do you quantify reputational or political damage?" she added.

"OK, so sometimes you can relate it to funding if you lose this as a direct result of a breach, but in general, those in government aren't going to be able to measure risk in monetary terms."

Andrew Rose, global IT risk manager for law firm Clifford Chance, adopts a method that incorporates both qualitative reputational damage, as well as monetary impact into the assessment.

"It is very hard to quantify your risk specifically," said Rose.

"What we do is incorporate banding. So a breach could result in a loss between this figure and this figure, and this ranges from negligible to catostrophic," he added.

"We can't just stick things in fixed financial terms, you have to map the reputational impact across the matrix too."

However, Colao insisted that information security officers should be able to assign a financial amount to reputational risk, adding that this requires conversations between the IT department and the business.

"I have a massive problem with this generally accepted view that measuring reputational loss is a proverbial piece of string," said Colao.

"I have often succeeded in asking the business what a reputational loss would mean to them in monetary terms, and I have found this has produced some very useful figures for risk management," he added.

"I don't want to be the guy that says to the business, 'Well, I am valuing our reputation using these figures but actually I can't attach them to anything apart from my own hunch'. It's ineffective."