Tuesday, November 8, 2011

Internal vs. External Risk

Recently, I had a very interesting conversation with a CISO about the need (or the lack) of a security assessment for an application which was “up and running for quit some time” on the Intranet. The business driver behind the initiative was to expose the same application, which (of course) relies on authentication, to business partners and clients to access marketing (statistics, geographical and demographical distribution of users, etc.) over the Internet.
It is quite obvious that external exposure has inherently higher risk than the same resource (document, application, database, etc.) exposed to the internal environment. But have you tried to quantify the risk?
According to U.S. Census Bureau (2007), there are 120,604,265 employees in 29,413,039 establishments in US which means that the average company size in Us is 4.1 employees (internal exposure). Whereas the total world population (external exposure) is estimated as 6,973,530,974 total population (U.S. Census Bureau, 2011). Using simple formula
6973530974 ÷ (120604265 ÷ 29413039)
we can calculate that the external exposure is 1,700,708,830 higher.
Naturally, it does not translate directly into risk as the average US company with 4.1 employees does not have Intellectual Property and not every human on earth have the means (technical equipment, skills, time, motivation, etc.) to identify and exploit security vulnerability. Regardless, even if the number is reduced by million (1,000,000), we are still talking about 1,700 more exposurerisk.
This numbers are quit impressive...


1 comment: