Assessing the risks and cost of encryption

CIO - With major data breaches occurring on a regular basis, encryption vendors are going into hyperdrive, touting the need for their products. However, encryption is only one aspect of protecting your sensitive data, and a new attack shows that it may not be enough.

Recently, the security research group at Princeton University published a report on its success at recovering data from an encrypted disk image on a laptop. This caused a good bit of consternation and some breathless coverage in the press (as with this New York Times story that got the headline " Researchers Find Way to Steal Encrypted Data"), leading to some speculation that this meant on-disk encryption was simply not worth the effort. (Read more on Laptop Encryption Strategies.)

The next morning, having read the New York Times, your CEO stops you in the coffee room and asks, "Is it worth using this disk encryption? It's a pain, and from this article it sounds like someone could get my data anyway."

The security community gets excited about any cool hack that can be exploited to get something you're not supposed to get, and we know that sometimes it's really an important issue. On the other hand, sometimes it isn't. How is a nonspecialist to know the difference, and how can a CIO answer the CEO's questions in the coffee room the morning after a story like this appears?

It turns out that we can answer this sort of question quickly with some good expectation of accuracy, using ideas from that half-remembered Finance 101 class we took years ago. What we're concerned with is the risk posed by this new attack, risk as defined in finance as the probability of the undesired event multiplied by the cost of the undesired event (which is called the hazard). We can manage security issues, first of all, by considering the risk.

Risk = probability x hazard

An easy way to see how this is applied is to think about the PIN on your ATM card. Most banks have simple policies for ATM cards: You have a four-digit PIN; there is a limit on how much cash can be taken out of the account every day, say $500; and there is a policy that says after three wrong PIN attempts, the ATM annoyingly eats your card, usually on Friday afternoon just before you leave for that weekend in Vegas.

Now, assume the card is lost, and someone is attempting to get money from it illicitly. The chances of guessing the PIN correctly with no extra information (you didn't write the PIN on the back of the card, right?) are 1 in 10,000 for one try, or about 1 in 3,333 for the three tries you get. The hazard is $500, so the risk is about 15 cents. In other words, the bank can be pretty confident that over many thousands of depositors and ATM cards, the cost of this kind of fraud per card is about 15 cents each.

Reprinted with permission from

This story is reprinted from CIO.com, an online resource for information executives.
Story Copyright CXO Media Inc., 2009. All rights reserved.