Sunday, February 13, 2011

Managing the InfoSec Investigative Function

Managing the InfoSec Investigative Function: Applying the Lessons of Traditional Investigators

In a corporate setting large enough to have a dedicated Information Security function – whether as a sub-department of the IT division or as a separate division unto itself – Information Security Officers and Analysts are often called upon to conduct investigations into user actions.

If, for example, a line manager hears an allegation that an employee has been accessing adult material on the internet or has been emailing proprietary information to the competition, the line manager will often request that InfoSec help determine whether the allegation is true.

This makes sense because InfoSec professionals will have access to email servers, log files, and other resources that line managers cannot access. In addition, InfoSec specialists will often have the technical expertise to gather and interpret at least some of the data necessary to determine the facts of the case. So, it is understandable and appropriate that line managers expect InfoSec to play a role in investigations of this kind.

However, conducting effective and fair investigations requires specialized knowledge, skills, and abilities. It is not necessarily the case that the InfoSec analyst who can manage a tight network perimeter can also conduct a good investigation. Furthermore, investigations are risky and politically sensitive affairs, and they must be governed by sound policies and by oversight at the appropriate level of the organization.

The InfoSec investigative function must be carefully managed by the organization and must be carried out by information security practitioners with specialized qualifications. Ineffective, inconsistent, or unfair investigative practices put an organization at serious risk. Such practices fail to provide adequate protection for the organization’s information assets, and they invite legal action from employees who are treated unfairly. An organization must give careful thought to how its InfoSec investigative function will be managed and conducted.

When considering their investigative role, InfoSec professionals can borrow many of the concepts long embraced by traditional investigators. “Traditional investigators” here means those professionals who investigate crimes and policy violations taking place in the physical, as opposed to electronic, world. A sufficiently large organization will have a Security or Public Safety function that provides physical security and investigates issues such as asset theft, workplace violence, trespassing, etc. This article will refer to that function as “Public Safety” to avoid confusion with Information Security. Public Safety departments have been part of the corporate landscape for years and have developed mature processes for handling investigations. Although Public Safety and InfoSec investigations often involve different kinds of alleged infractions and different technologies, many of the foundations of traditional investigative practice are equally applicable to InfoSec investigations.

This article describes six key concepts of traditional investigations that can also be applied to InfoSec investigations. InfoSec practitioners can learn a great deal from the mature processes developed over years of traditional investigative practice. The purpose of this article is to help InfoSec managers and other organizational leaders effectively establish, conduct, and oversee the InfoSec investigative function. The six key concepts discussed in this article are:

Applying NPV and ROI to Security Investment Decisions


Too often, the decision of whether or not to implement a security measure is ultimately based on a vague appeal to "best practices", or on a gut feeling that the cost of a countermeasure outweighs the risk of an exposure.  In this paper, the author proposes a model, based on Net Present Value, Return on Investment, and Monte Carlo simulations, that provides a quantitative framework for these decisions.  A sample analytical tool is also provided.


Justifying the costs of security expenditures is a persistent challenge for the Information Security Manager.  The often significant implementation and maintenance costs of a countermeasure, coupled with the difficulty of quantifying the costs of a breach, make traditional cost-benefit analyses problematic at best, and simple guesswork at worst.  While the information security literature addresses such concepts as Single Loss Expectancy (SLE), Annualized Loss Expectancy (ALE), and Annualized Rate of Occurrence (ARO), there are few good models available to translate these concepts into the kind of business analyses that are persuasive to operational managers.  In addition, the models that are available often fail to adequately take into account the probability and timing of a security breach.  An extravagant SLE will fail to persuade senior executives who perceive a vanishingly low probability that such an event will occur.

To be successful, the Information Security Manager (ISM) must be able to make a case for security investments in terms that are persuasive to business managers, not necessarily to other information security professionals.  Senior management will be unmoved by appeals to IT best practices; they will become inured to frightening tales of companies who paid the price for lax security practices; and they will lose confidence in a security manager who supports proposals with little more than instinct.  The ISM must be able to draw on traditional analytical tools such as Net Present Value (NPV) and Return on Investment (ROI).

Although the concept of a Return on Security Investment (ROSI) is frequently explored in the information security literature, there is little consensus on how to calculate it, and few tools to help the ISM do so.  This article describes a flexible model that merges traditional NPV and ROI calculations into ROSI.  The model employs Monte Carlo simulations to determine the probability that a security investment will produce a positive ROSI.  A sample Excel spreadsheet demonstrates how this model can be incorporated into a simple-to-use tool. 

So, How Many Information Security People Do We Need?


It’s not difficult to find a lot of good information on general Information Technology staffing ratios.  Spend a few minutes online, and you will quickly turn up surveys, benchmarking studies, and lively discussions.  The “right” ratio of IT staff to users at large varies widely, depending on the type of business, the industry’s reliance on technology, etc., but for the most part, someone looking to find out how many IT staff overall a company needs can find some decent numbers to start with.

The task becomes a lot harder, however, when you want to find staffing ratios for information security staff.  Perhaps because the “right” number of information security staff is highly sensitive to the nature of the business and the regulatory environment, or perhaps because the information security discipline is less mature than IT infrastructure or operations, there just aren’t very many good benchmarks out there.  Asking “how many information security staff do we need?” results in a resounding “It depends.”

For this article, I gathered several pieces of publicly-available information into one location to sketch out a broad range of staffing benchmarks for the information security function.  A number of data points are collected and described below.  The intent is not to establish the “right” information security staffing ratio – that’s probably impossible.  Rather, my hope is that this article will be a useful resource for information security professionals  looking for data to inform their staffing discussions.  Hopefully this article will also help spark more research into and analysis of this topic.

Data Points

Here are the most illuminating sources of information I found.