VIEW 3
The four quadrants of security
Security is defined as the degree to which your assets are resistant to threats from adversaries. If we map these elements into our risk quadrants, we end up with the diagram to the right.
Adversaries:
In the cyber world, we never really know who our adversaries are. They hide behind multiple nodes, proxies and relays so we don’t even know where they are. It is unlikely that we will ever know so they belong in quadrant three: the unknown unknowns.
Threats:
We are aware of the attack vectors and methods that cyber criminals use (see Views #17 and #20). That much is known. But it is still hard to quantify when an attack might occur and who will be the target. So threats belong in quadrant two: the known unknowns.
Assets:
Most companies are aware that they have data that would be valuable to their competitors. These are assets that need to be protected. It is also probably true that many companies may have not done an extensive audit of the data assets that they hold or fully defined their business critical ‘crown jewels’. Despite this, assets belong in quadrant one as known knowns, if only in a partial sense at present.
Impact:
The impact of a cyber incident belongs in quadrant four. Most companies are unaware of what a cyber incident might cost until they actually suffer from one. Much of this information could have been gathered beforehand. It is quantifiable (See View #24 for a suggested model) but often remains unknown.
Practice (almost) makes perfect
One piece of advice that all security experts agree on is that rehearsing the corporate incident response plan through table top exercises can have a major positive impact. Practice may never quite make perfect, but it will substantially improve cyber resilience. In a table top exercise, crucial information known to one department head becomes known to all. Does the sales director know how long it might take for the IT department to rebuild core systems after an attack? Does the legal department understand the urgent requirements of the corporate communications department in a crisis? What policies can be agreed calmly beforehand rather than hastily thrashed out in an emergency situation?
Much that is unknown can be revealed when practicing a crisis response. Logically speaking, quadrant four is the most productive place to invest time and money. It is far easier to raise awareness than to try to quantify the unquantifiable.
