“Your budget is not limitless. Neither are other resources. You need to determine the best use of your limited resources to ensure the survivability of your enterprise.”
—Audrey Dorofee, Software Engineering Institute, Carnegie Mellon University
The finite nature of security resources mandates prioritizing the deployment of security measures. That means a security analysis should concentrate on the few assets that are most critical to the business.
Which are they? Making that determination is not just Security’s task. It requires the expertise of the corporate personnel who utilize and depend upon those assets. It involves knowledge outside of security’s domain.
Group Consensus
This means that security practitioners must enlist the aid of a group, committee, team or panel to help identify and prioritize the most critical assets and business processes. What makes assets critical is the severity of the impact on the business if use of the asset were lost.
Using a simple application of Pairwise Comparison, which compares critical assets to each other two at a time, you can help the group perform a rudimentary business impact analysis, in a methodical way results in group consensus for the for the team’s findings. The pairwise comparison technique leverages the universal human ability to compare single properties of alternatives. In plain words, it’s easy because we already know how to choose between two things. We do it all the time.
In a pairwise comparison a whole list of items is ranked by comparing only items two at a time, and assigning a numerical rating to the comparison. Adding up the ratings produces a score for each item. Some items score higher than others; the numbers document the ranking.
What follows is a description of the critical asset ranking process using pairwise comparisons.
Activity: Critical Asset Identification and Ranking
Purpose: To determine the most critical assets of the business, and rank them in terms of the severity of the loss of use of the asset.
Steps:
- Start with a list of candidates for being a “critical asset”.
- Identify the “worst-case loss event” for each asset-the event that would have the worst impact on the organization. Write down a description of the event.
- Rate the assets according to the severity of the impact of the worst-case loss event on the business, comparing each asset category against every other asset, two at a time. Make a chart with rows and columns for each asset. Write the comparison rating in the comparison chart (see the example chart in Figure 1 below). Use the following rating scheme:
Rating Description 3 More critical 2 Equally critical 1 Less critical - Add up the values in each row and write the total for each asset category in the Total column.
- The assets with the highest scores are the most critical assets, according to your assessment team.
This activity does not require that each team member be highly knowledgeable about each asset. As long as there is at least one person who can explain satisfactorily to the rest of the group why the loss of one of two assets would have the greater or equal negative impact on the business, the group can reach a consensus about the asset pair. One by one each asset pair can be addressed and rated.
Figure 1. The pairwise comparison chart.
The above example is the very simplest use of the pairwise comparison tool. It requires only a brief introduction for the participants in asset ranking exercises. Where a more expanded rating scale seems appropriate, the following 1-to-5 scale can also be used:
Rating | Description |
3 | Significantly more critical |
3 | Somewhat more critical |
2 | Equally critical |
1 | Somewhat less critical |
1 | Significantly less critical |
Because a relative scale of measurement can be used, a pairwise comparison approach for critical asset ranking significantly reduces the time to obtain consensus. It helps to ensure that time spent on more detailed analyses is well spent by focusing on the most critical assets. Usually there is an added bonus in that the protective measures selected for the critical assets often also apply to less critical assets, or can be easily extended to cover more assets at an incremental cost.
Significant Additional Benefits
In addition to providing a ranked list of critical assets there are other significant benefits to utilizing the pairwise comparison tool in a group exercise, especially in a cross-functional setting. Sometimes damage to a single asset can affect multiple parts of an organization, such as f more than one function depends upon the asset, or if its loss has a cascading effect that creates additional problems across functions.
The educational effect of such an exercise can be tremendously beneficial. Participants can gain insights into other areas of the organization. Sometimes interdependencies are identified that weren’t really fully known or understood.
The result of the exercise can be a significant improvement on the previous state of knowledge regarding critical assets and their importance to the organization.
Do you have a critical assets catalog for your organization? If not, the pairwise comparison tool can help you develop one more quickly.
Best regards,
Ray Bernard