In order to reinforce the points made on the preceding page, consider the following two hypothetical situations:
First Hypothetical - You are the manager of a mortgage unit in a local bank and a customer has walked into your office to apply for a mortgage. Before you will approve the loan, you need to ensure that you have adequately addressed several risks. Using an automated mortgage application program, you run a credit report on the customer to determine the probability or likelihood that the consumer, based on his or her credit history, will repay the loan. You next input the amount of the loan to assign the impact or severity to the bank if the consumer fails to repay the loan. The mortgage application program factors in these probability and impact elements to determine the overall risk to the bank. The grid to the right represents how the program might weigh these two elements.
To mitigate the potential loss from a bankruptcy and confirm that the property value will cover the loan, you also request an appraisal of the property. Since your bank is unwilling to take on the risk that the customer does not actually own the property or that the house may be destroyed by fire or storm, you assign the risk by requiring that the customer obtain title, flood and property insurance. The computer application takes out all the guess work. It runs the calculation of risk and then checks to see what level of risk the bank will accept. You just input the data and program tells you if the loan is approved.
Second Hypothetical - You are a manager of a mortgage unit in a bank. Your group is so successful that the signed documentation from all the mortgage applications has overwhelmed your file room. To save space you have decided to convert the documents to electronic images. You are just about to approve acquiring the necessary imaging software and hardware when the company General Counsel walks into your office. She informs you that, based on contract law and recent regulations on the protection of consumer data, the imaging application will have to ensure the security of the information. You turn to your technology manager and ask him what the "likelihood" would be that imaging information might be lost. The manager describes several possibilities for how the information might be breached, but he cannot provide any specific loss probabilities. You then turn to the general counsel and ask her how much the company could lose if there was a breach. She describes potential "impacts" ranging from a few thousand dollars to the total collapse of the bank. Exasperated, you ask them if the bank could purchase insurance to cover the risk. You are informed that, even if you can find such insurance, the cost is prohibitive.
In the end you do not have sufficient information to make a decision, so you decide to live with the current situation. The next day one of the members of the cleaning crew discovers a pile of mortgage applications in the trash. He takes them home, sells the names, Social Security Numbers, and bank account information to his brother-in-law, who proceeds to file several bogus loan and credit card applications.
The primary difference between these two hypothetical situations is the mortgage application decision process is based on an objective assessment methodology backed up by historical data, whereas the security assessment is based on flimsy assumptions and no reliable loss data. The second hypothetical reinforces the concept that, "If you can’t measure it, you can’t manage it." - we can not manage information security risk if we are unable to measure the risks and the level of success in controlling them.