Fear and Longing for ECommerce?—Posted on September 5, 2007
… following a recent report from the Federation of Small Business that claims that just 18 per cent of SMEs are selling on-line, with less than one per cent of those generating all their sales through the internet. SME's main reason for such online reticence is their fear about online fraud and security …
Research asks some pretty dumb questions. Reducing the problem to one of ‘fear’ doesn’t make sense. Fear is about risk and business is inherently risky – making money is about taking some risks. According to IMRG, UK e-retail sales hit four billion pounds a month in July this year, so some risks might be worth taking!
If you ticked the box “Would like to sell online but worried about security and fraud” in the research questionnaire perhaps now is the time to consider how to reduce those fears into something manageable.
The primary tool used by security professionals for thinking about these problems is the risk calculation. In case you’ve not used one of these before it works like this:
Risk = Impact * Likelihood
It’s a tool that lets you think about risk sensibly, address the issues and in some cases, achieve the holy grail of risk management - quantify the risk you’re exposed to.
I’ll use an example, a fictional SME; let’s call them Scared Cat Ltd. Scared Cat have a website that has a phone number but no online e-commerce – remember research shows it’s too scary! Lets also assume that there is a ten percent chance of www.scaredcat.com being hacked in a year and that it costs £10,000 to have it rebuilt. The cost to Scared Cat averaged over lots of years from this risk, using the formula is £1000 pounds a year (1000 = 10,000 * 10 %).
For this scenario the business impact of £10,000 is probably a relatively easy calculation: add up the developer rebuilding the website, lost business, lost time, and include some figure to cover damage to their reputation. The probability figure is going to be more of a guess, but they can talk to other people in their industry and harass or employ a security professional.
Scared Cat need to decide if the risk is acceptable as it stands, and may want to look at ways of reducing it. Firstly is it acceptable? Well if the website brings in £1000 pounds of profit (not revenue!) a month then a £1000 a year cost is a pretty good deal.
Can they reduce the figure? If so then the reduction is effectively profit – well really it’s less risk, but it’s very close to the same thing if the calculations are approximately right. Something that reduces risk in the terms of the security professional is known as a control. The trick is to implement the most cost effective control to reduce the risk – and you tend to get diminishing returns as you implement more and more controls.
A good choice of control for a website with custom applications would be some application security testing or penetration testing. Often, because of the custom coding done for web applications, generic security scanning tools are ineffective and real value comes from the manual penetration test. The testing team will do all the things a typical hacker will do with the same tools at their disposal.
Manual tests like these aren’t cheap but can be worthwhile. A test team time runs from about £750 a day upwards (you’re paying for all the time they spent prior to your job staying up all night, eating pizza and keeping up to date with the latest techniques).The good news is that you might see a reduction in that 10% ‘likelihood’ figure to around 2% - if it’s done well and often enough.
So, using the risk formula should they run a penetration test? The risk has gone down from £1000 pounds a year to £200. The penetration test will cost around £3000 and will only save just £800 a year. So, unless the penetration test will provide protection for the next four years it’s not a great deal, unlikely as few web applications and servers remain untouched that long.
It’s important to readdress the controls whenever the impact or likelihood changes. Frequently people focus on the ‘problems’, such as a new type of virus online and forget about the increasing impact figure as their business becomes more valuable.
Should Scared Cat decide to tap into their share of this £4 billion pound a year market online by enabling e-commerce functionality on the site then the impact figure will increase dramatically, hopefully offset by huge additional profits. Suddenly the penetration test, or some other effective security controls may look like a bargain.
Risk analysis techniques like these, however approximate, are essential for turning fear into a set of rational business decisions.
Jim Credland THUS - Head of Product Security