budgets to address such attacks. However, the patch was widely known and had already been around for two years. Their budgets should have already accounted for patching, but they apparently had not previously invested sufficient funds to provide for a basic countermeasure.
When you understand your organization's vulnerabilities/countermeasures balance and its risk-optimization point, you develop greater insight into how you might better mitigate UIL.
Risk and User-Initiated Loss
When you consider how UIL impacts risk, you realize that organizations generally do not fund UIL mitigation efforts well in many industries. Generally, it is a combination of failing to appreciate the holistic nature of countering the problem, a resignation to the fact that users can never be perfect, and not allocating the proper resources. The failure to allocate resources includes funding, staff, and expertise.
In the accounting and safety fields, for example, there is a clear understanding of risk. They understand that user actions can result in serious financial losses, and they treat the problems holistically and with the appropriate resources. They determine where loss occurs, and they track the financial metrics to determine the success of the program.
In other fields such as cybersecurity, there is rarely effective tracking of losses and a holistic approach in applying countermeasures to them. While the problems are bemoaned, there is not a clear understanding of the value lost due to UIL.
To address UIL, you must be able to demonstrate in clear financial terms the value at risk. Chapter 10 covers metrics, which should help you make the argument about the value that users put at risk. However, that will still not do any significant good, if you do not look beyond the awareness as the primary countermeasure to the problem. Chapter 5 will look at the limitations of awareness, and going forward, the book will examine the more holistic approach to all aspects of addressing UIL.
NOTE Risk management, as a whole, is complicated and rarely performed effectively. While we hope that we provide a working knowledge to apply the concepts in the book, risk management is a core component of all loss mitigation efforts. We recommend you also look to other resources, such as The Failure of Risk Management: Why It's Broken and How to Fix It (Wiley, 2009), for further information.
Конец ознакомительного фрагмента.
Текст предоставлен ООО «ЛитРес».
Прочитайте эту книгу целиком, купив полную легальную версию на ЛитРес.
Безопасно оплатить книгу можно банковской картой Visa, MasterCard, Maestro, со счета мобильного телефона, с платежного терминала, в салоне МТС или Связной, через PayPal, WebMoney, Яндекс.Деньги, QIWI Кошелек, бонусными картами или другим удобным Вам способом.