The Not Obvious blog has an interesting write up on the Heartland Breach and impact.  From the blog post:

“Heartland has had to pay other fines to Visa and MasterCard, but the total of $12.6 million they have set aside to handle the one-time costs is a drop in the bucket compared $1.5 billion in 2008 revenue and does not really even skim much off the top of the $161 million in profits from that same year (the numbers for 2009 look to be tracking the same). It is almost a guarantee that any member of the class action who submits a claim will see many years of scrutiny before receiving any payment, something which Heartland can factor into their yearly financial plans (and accommodate for by increasing fees).”

For thought:

1. One wonders how much a “sufficient” (loaded term, of course) InfoSec program for a company like Heartland costs on an annual basis.
2. Does this set a sort of “worst case” bounds to impact distributions?
3. If so, how does a worst case impact of ~$13million (US) impact security management at retailers (politically)?

I say “somewhat” modeling because I find interesting is that Richard seems to be discussing probabilistic statements in the “greens” there (“my opinion/guess is that it would take some degree of force to compromise asset in question based on my admittedly incomplete knowledge of the control state”) , and then adding to that nature-state assessments (“here is the current state of attack/compromise”) in the rest of the spectrum.

Now obviously the probabilistic statements would eventually require more effort once some substantial level of organizational maturity has been achieved, but this sort of asset-state spectrum would be useful in establishing high-level assessments of the asset landscape.  It would allow the CISO (esp. a new CISO who finds herself in an environment fraught with “unknown, unknowns”) to create a relatively quick view of enterprise “vulnerability” (to borrow FAIR’s concept) and help begin the achievement of knowledge around enterprise risk management capability.

Other uses could eventually contribute significantly to risk models.  Obtaining accurate current/past Category 3 (the orange there) information would be *really* useful for creating probabilistic statements around threat models and risk models.  As I mentioned above, the Vuln ratings can be broken down to assist risk and risk management modeling (yeah, I continue to maintain that they are two different things despite what all the standards out there say, more on that tomorrow).  Finally, studying time frames and abilities around the post-compromise state (Breach 3-1, there) around incidents would be useful in establishing risk management model belief statements, as well.

One small problem I would have using this on an aggregate level would be the lack of granularity around the threat community w/regards to “impact” levels 1-5.  I might not really care if a script kiddie is doing reconnaissance, but if the recon is coming from someone in an internal administrative role, a contractor who has privileges, etc…

That said, my significant problem with Bejtlich’s model there has to do with *why* he created it.  He asks:

What do you think of this rating system? I am curious to hear how others explain the seriousness of an incident to management.

To which my obvious response is, “why should management care about any of this when it doesn’t include impact”?  Even at it’s darkest colors, the scale is subject what I call the tree falling in the woods problem – does vulnerability or compromise matter independent of an impact statement?  Without impact, are we just “multiplying by zero”?

More directly, can you imagine going to a CFO with this but without impact information?  Wouldn’t you kind of look foolish if you said, when questioned about (probable) impact, “Well, then we would be modeling risk, and you know we can’t do that”?