Andy Jaquith was comparing records lost per laptop versus records lost per server on the securitymetrics.org mailing list recently. It got me thinking about how to measure risk based on the frequency/availability of the data and its value (or corresponding potential loss) to the enterprise.

When calculating potential loss on a per record basis, it seems reasonable to assume that every instance of that record – i.e. the number of copies of the record on various assets throughout the environment – will increase the consequences accordingly. That is, a record in 10 locations will potentially lose ten times as much than a single instance.

While this is true*, it is worth paying attention to the mechanics behind this – this increase doesn't come from adding together the consequences; it comes from the increased likelihood of compromise. So the real change is in the probability attribute, not the value/loss one.

An illustration: a single record that has a value of $200 with a 5% likelihood of of loss has a $10 "value-at-risk". If there are ten instances of that record, the VaR becomes $100 because the likelihood changes to 50% ($200 x .5 = $100) NOT because the value of the record goes up ($2000 x .05 = $100).

This matters when you are aggregating likelihoods and consequences in a big picture scenario.

One final precaution – it is worth remembering that only a small fraction of the potential loss is bundled up in a per record basis; there are plenty of fixed costs on a per compromise basis.

* Without other frequency data on threats and vulnerabilities, it is reasonable to assume a random distribution — that all assets are equally likely to be attacked
and compromised.