Recently, I had a very interesting conversation with
a CISO about the need (or the lack) of a security assessment for an
application which was “up and running for quit some time” on the
Intranet. The business driver behind the initiative was to expose the
same application, which (of course) relies on authentication, to
business partners and clients to access marketing (statistics,
geographical and demographical distribution of users, etc.) over the
Internet.
It is quite obvious that external exposure has
inherently higher risk than the same resource (document, application,
database, etc.) exposed to the internal environment. But have you
tried to quantify the risk?
According to U.S. Census Bureau (2007), there are
120,604,265 employees in 29,413,039 establishments in US which means
that the average company size in Us is 4.1 employees (internal
exposure). Whereas the total world population (external exposure) is
estimated as 6,973,530,974 total population (U.S. Census Bureau,
2011). Using simple formula
6973530974 ÷ (120604265 ÷ 29413039)
we can calculate that the external exposure is
1,700,708,830 higher.
Naturally, it does not translate directly into risk
as the average US company with 4.1 employees does not have
Intellectual Property and not every human on earth have the means
(technical equipment, skills, time, motivation, etc.) to identify and
exploit security vulnerability. Regardless, even if the number is
reduced by million (1,000,000), we are still talking about 1,700 more
exposure ≈ risk.
This numbers are quit impressive...
References
- U.S. Census Bureau, 2007. "Statistics about Business Size (including Small Business)" [online]. Available from: http://www.census.gov/econ/smallbus.html (accessed: November 7, 2011)
- U.S. Census Bureau, 2011. "International Data Base World Population Summary" [online]. Available from: http://www.census.gov/population/international/data/idb/worldpopinfo.php (accessed. November 7, 2011).
Thanks
ReplyDelete