Formulas To Quantify and Measure Your Data Security

For any company with KIID assets (Knowledge, Intelligence, Information and Data), having a strong internal security policy in place is critical. Weak internal security increases the risk of loss, damage or exploitation of critical assets by external sources. The more people that have unnecessary access, the more likely there is to be a security breach. In this day and age, that can have a devastating impact on a company, both in its internal operations and its relations with customers and partners. No one wants to be involved with a company that has sloppy security practices.

The immense costs involved in damage control, recovery and regaining trust can often be financially impossible to support. For these reasons, security should always be viewed as an essential and ever-present element of KIID, rather than a separate function to be addressed only when it's too late.

As in any other area of business, the ability to quantify security allows us to measure and manage. We can understand where we stand, whether improvements are being made over time and what actions might be necessary. With such formulas, you can begin to carry out a full internal security audit.

Here, the importance of having IT expertise can't be emphasised enough. Simply put, if you don't fully understand how your enterprise system works, not only at the user level but at the administrative level, then you're not going to know who really has access to what, rendering any attempt at quantification impossible.

Below, I have set out a number of formulas, where depending on how much information you have available, you can begin to quantify your internal security. I am grateful to Dr Hendrikus J. a. Van Kuijk who kindly provided the basic formula, which I have further developed and refined over time.

Unauthorised access relative to total personnel

[latexpage]
At its most basic, Where $S$ represents our security formula we take $u$ as the total number of users identified as having unauthorised/unneeded access and divide this by $t$ which represents the total number of users. This leaves us with the following formula, where a result of 1 represents a perfect score:

$S=1-\frac{u}{t}$

Unauthorised access relative to total personnel and volume of sensitive assets

Where at all possible your aim should be to identify (or at least estimate) the number of sensitive KIID assets in your possession. If you have taken measures to acquire such a figure, we can expand our formula to where $z$ represents the number of accessible (unauthorised) sensitive assets and $a$ represents the total number of sensitive assets:

$S=1-\frac{u+z}{t+a}$

In both formulas, any figure below a score of 1 should be of concern, and of course any unauthorised access to a sensitive asset should be an immediate red flag with a review initiated and remedial action taken. It should be pointed out though that such a red flag may indicate improper classification rather than a security failure - i.e., the asset isn't as sensitive as it has been made out to be. Such issues will have to be addressed during review.

Unauthorised access weighted by document sensitivity

It's important to have a classification system for assets in order to better understand what is somewhat sensitive (e.g., certain employee details and management documents) and what is very sensitive (e.g., customer data, financial data, sales and marketing plans, new product plans, etc.). With such a classification system, a company where 10 employees have unauthorised access to 5 very sensitive documents, receives a more negative security score than one in which that same number of individuals have access to assets that are somewhat sensitive.

To quantify this, we assign a numerical rating from a scale starting from 1 as not sensitive (ignore) to a gradually increasing figure which will represent the most sensitive assets. A simple example of this would be a 3 point scale:

1 = not sensitive
2 = somewhat sensitive
3 = very sensitive

Using $_c$ as our classification indicator we can then track security performance over time with classification taken into account. This essentially tells us how many users have unneeded access within a particular sensitivity class and gives it added weight based on its degree of sensitivity.

$S_d=uzc$

Now using the above formula, let's take a look at an example. A company has 15 employees that have unnecessary access to 11 somewhat sensitive KIID assets and 5 with access to the same as well as 4 very sensitive assets. This gives us the following result:

$S_d=(20\times11\times2)+(5\times4\times3)=500$

In a second example, a company has 20 employees with access to 12 somewhat sensitive assets and 14 employees with access to the same as well as 6 very sensitive assets.

$S_d=(34\times12\times2)+(14\times6\times3)=1,068$

For an even more accurate score, we can simply add up the totals of this formula (removing $z$) after applying it to each asset.

Volume of sensitive assets (weighted)

Where total sensitive assets and their classification are known, a company can also keep track of the weighted volume of sensitive assets in its possession, allowing it to better budget for security. For this, we amend the formula as follows:

$S_d=tac$

As new assets are created and requirements evolve, classification and its methodologies will also have to be reviewed and amended. Combined with other security appraisals, periodic audits should indicate whether such internal security measures are improving or degrading. As always, the aim should be to have no assets exposed to unneeded access, while avoiding overzealous security - given that this can be just as damaging as sloppy security. As important as security should be to your business, too much of it undermines collaboration, knowledge production and ultimately the success of your business - so use it wisely.

Image: Tom Brown