Читать книгу You CAN Stop Stupid - Ira Winkler - Страница 45

Value is perhaps the most important element of risk. It is essentially what you have to lose. More important, it is both separately identifiable elements and their totality that you have to lose. Too many organizations and decision-makers misperceive the value that is at risk. Either they have a myopic view as to what value is exposed to loss or they underestimate the potential for overall value to be lost.

Consider, for example, the infamous Sony hack, where North Korea attacked Sony in retaliation for the movie The Interview, which depicted the killing of North Korea's leader, Kim Jung Un. Prior to the attack, the Sony CIO was quoted as saying that he wasn't going to spend $10,000,000 to prevent a $1,000,000 loss. While the logic was sound, the underlying assumption of potential loss was incredibly wrong. Sony didn't lose $1,000,000 in the incident. The combined loss from the interrupted release of the movie, the incident response, the compromise of PII of Sony employees, and the embarrassment resulting from leaked emails, operational interruption, and so on, cost Sony in excess of $150,000,000.

Unfortunately, there are numerous losses of this scope. While your organization will ideally not suffer such a loss, even small losses can become significant, as we discussed earlier in the “Death by 1,000 Cuts” section. At the least, you want to have a realistic consideration of the value that you are protecting.

There are many types of value. Monetary, opportunity, and reputation are some of the most significant forms. It is also important to consider the value that your organization has to potential attackers, which clearly impacts the level of effort that they will go through to target you. The following sections will explore these types of value.