In mid-September, most of Ohio encountered a weather anomaly. The remnants of Hurricane Ike collided with a cold front coming down from Canada that resulted in sustained winds of between 35-65 MPH for about 4-5 hours. It was quite an extraordinary event – the closest thing to a hurricane the Midwest has probably ever witnessed by its human residents. As a matter, earlier this year, I heard a statistician / actuarial make an analogy that a 1-in-100 (or maybe it was 1-in-250) event was like a hurricane hitting Indianapolis – nearly happened in Ohio – minus the rain and coastal water surge.
Throughout the wind storm my wife and I went outside frequently to secure loose debris and objects that posed a threat to our cars and home. Besides some Bradford Pear trees (30+ feet tall) that managed to not get blown over, the closest call we had was a chimney cap we found lying next to my brand new Honda FIT.
Being the geek that I am, once I got back inside I wrote down a note to myself to blog about this; specifically, in the context of “threat event frequency” (TEF). Over on my risk vernacular page there are definitions for “threat event frequency”, “action” and “contact” (action and contact make up TEF).
The reason TEF is on my mind is because the chimney cap / Honda FIT scenario is a great illustration of various information security risk assessment concepts. I have witnessed many risk assessments where the assessor errors on the side of possibility versus probability. Thus – and in the context of possibility – because there are bad things out there that can inflict harm against my assets, then surely its going to happen. This sound like “crying wolf” to me and is something I always double check myself on for each and every risk scenario I assess. During the windstorm, I was worried about my home (business context, my network / my assets) – not the homes a few blocks away or in another part of the state. Now make no doubt about it, TEF is not the simplest topic to wrap you brain around and a lot of folks confuse TEF with loss event frequency (LEF) – which is really the frequency, or number of instances within a time frame, that the threat was able to overcome the resistance of the security controls.
So, whether it’s the threat of zero day viruses, a virtual machine security vulnerability, or the slew of other threats that take up memory space in our brains – properly analyzing threat event frequency in the context of the environment at risk (or that you have oversight for) and not confusing TEF with LEF is a must and in my mind is the difference between a seasoned and unseasoned information security risk analyst.
I am still compiling a few risk scenarios to post. Stay tuned and have a great day!