Congratulations! We are officially over the hump!
In our last post, Addressing Governance and Regulatory requirements, we described the third of six processes for implementing a data security practice. So we are now past the middle, starting on our fourth process, namely developing a prioritized security strategy.
Since we are over the hump, you may notice a different flavor to the remaining three processes. Essentially the first three were analytic processes: our first was to identify critical digital assets following standard accounting processes. The second was to evaluate threats against these assets. And the third process was to assess our governance and regulatory requirements so that we remain in compliance with all of our corporate obligations.
The outputs for all three of these processes will be used as inputs to this one. Those outputs are a list of critical digital assets, a threat and vulnerability assessment, and documentation of our governance and regulatory requirements along with complexity and risk weighting factors. We will use these artifacts to synthesize a prioritized security strategy, the primary activity of this process.
Which begs the question: exactly how will we do this? Especially since we have a multi-variable equation with various weighting factors? Fortunately Nancy Mead at the SEI has already answered this question for us. Given a multiple prioritization methods, Mead has identified Thomas L. Saaty’s analytic hierarchy process (AHP) as the best method for building this prioritization. Quoting Mead, AHP entails:
- Review candidate requirements for completeness.
- Apply the pairwise comparison method to assess the relative value of each of the candidate requirements.
- Apply the pairwise comparison method to assess the relative cost of the candidate requirements.
- Calculate each candidate requirement's relative value and implementation cost, and plot each on a cost-value map.
- Use the cost-value map as a map for analyzing the candidate requirement.
Which probably begs two further questions: what is a pairwise comparison? And what is cost-value diagram? Well, a pairwise comparison is as it sounds: literally “comparing entities in pairs to judge which entity is preferred, or has a greater amount of some quantitative property.” And a cost-value map, according to requirement prioritization theory, is simply plotting the value of something on the x-axis along with the cost of obtaining that value on the y-axis. In our case, these values are the weights created as outputs during earlier processes.
Clear as mud, huh? Well, we’ve just described the techniques we will use in this process’s activities, not the activities themselves. Specifically for each entity in our list of critical digital assets, we will perform the following activities:
- Evaluate the asset against the weights noted for the following categories:
- Threat assessment score
- Vulnerability assessment score
- Governance and regulatory complexity score
- Governance and regulatory risk score
- Plot each of these pairwise values (asset, score) on the corresponding cost-value map:
- Threat weight
- Vulnerability weight
- Governance and regulatory complexity
- Governance and regulatory risk
We now have four intermediate outputs: four cost-value maps expressed as bar charts. The x-axis for all four is the list of critical digital assets, perhaps sorted in alphabetical order grouped by asset type, and the y-axis is the score associated with each of the four weighting factors.
To collapse these into a final rank of what critical asset deserves the most attention, we need to perform a final pairwise value comparison against the ranking criteria themselves. We need to determine the relative value amongst our assessment factors.
Meaning we need to decide how the threat score compares against the vulnerability, complexity, and risk score. As well as the vulnerability against complexity and risk. And finally governance with respect to risk. Six more pairwise comparisons in all. After that, we can perform a weighted sum of our four cost-value maps and come up with the finalized risk assessment.
The output of this entire process is a rank of our critical digital assets in ranked order of weighted relative protection value to our organization. We will use this rank in our next process, implementing data security throughout the enterprise, to actually determine what security mechanisms we will put in place to protect these assets.
If your organization had members who have experience with pairwise comparison or cost-value mappings techniques, great! Invite them to participate in this process’s activities. If not, go forward with caution: it may be wise to hire a consultant with specific experience in this discipline to help your prioritization process activities go smoothly.
What are your thoughts on this process for developing a prioritized security strategy? Have you used pairwise comparisons or cost-value maps yourself? Have you been exposed to this kind of process before? We’d love to hear from so please post a comment below.
 Software Engineering Institute at Carnegie Mellon University
Data security and encryption