Home > Articles > Security > Network Security

  • Print
  • + Share This
This chapter is from the book

Evaluating the Security Risk

In Chapter 1 we provided a method for assigning a numeric value to your system’s security risk based on several factors. In this section we will expand upon that system. Recall that we evaluated three aspects of your system:

  • Attractiveness to attackers
  • Nature of information
  • Level of security

The system being evaluated was given a numeric designation between 1 and 10 for each of these factors. The first two are added together, and then the third number (level of security) is subtracted. The lower the number, the more secure your system; the higher the number the greater your risk. The best rating is for a system that:

  • Receives a 1 in attractiveness to hackers (i.e., a system that is virtually unknown, has no political or ideological significance, etc.)
  • Receives a 1 in informational content (i.e., a system that has no confidential or sensitive data on it)
  • Receives a 10 in security (i.e., a system with an extensive layered, proactive security system complete with firewalls, ports blocked, antivirus software, IDS, anti-spyware, appropriate policies, all workstations and servers hardened, etc.)

This hypothetical system would get a score of 1 + 1 – 10, or -8. That is the lowest threat score possible. Conversely, the worst rating is for a system that:

  • Receives a 10 in attractiveness (i.e., a well-known system that has a very controversial ideological or political significance)
  • Receives a 10 in informational content (i.e., a system that contains highly sensitive financial records or classified military data)
  • Receives a 1 in security (no firewall, no antivirus, no system hardening, etc.)

This system would get a 10 + 10 – 1, or a 19. Such a hypothetical system is, in effect, a disaster waiting to happen. As a systems administrator, you are unlikely to encounter either extreme. Evaluating system attractiveness to hackers is certainly quite subjective. However, evaluating the value of informational content or the level of security can be done with simple metrics.

To evaluate the value of the informational content on your systems, you have to consider the impact of such data being made public. What would be the worst-case scenario of that data being made public? Table 12.1 divides data into categories, based on worst-case impact, and gives examples of types of data that fit that specification.

TABLE 12.1 Value of data.

Value assigned



Negligible, at most some personal embarrassment

Non-sensitive data: video rental records, book sales records


Slight loss of competitive advantage

Low-level business data: basic process and procedure documents, customer contact lists, employee lists


Significant loss of competitive advantage (business or military)

More sensitive business data: business strategies, business research data, basic military logistical data


Significant financial loss, significant loss of reputation, possible negative impact on operations

Financial/personal data: Social Security numbers, credit card numbers, bank account numbers, detailed military logistical data, military personnel records, confidential health records


Significant business profit loss, significant negative military/operational impact

Sensitive research data/patent product data, classified military information


Serious loss of life, danger to national security

Top secret data, weapons specifications, troop locations, lists of agent identities

You can use similar metrics to evaluate the security level of any network. Table 12.2 shows an example.

TABLE 12.2 Security measures taken

Value assigned

Security Measure taken


No security at all

Many home users


Basic antivirus software

Many home users


Antivirus, some security browser settings, basic filtering firewall

Small office/home office users (SOHO)


Level 3 plus routine patches and perhaps some additional security measures such as stronger browser security and anti-spyware

Small business/schools


Level 4 plus router hardening, strong password requirements, perhaps an IDS, basic policies about downloading, acceptable usage policies, sensitive servers hardened

Networks with a full-time network administrator


Level 5 with both IDS and anti-spyware, all unnecessary ports closed, subnets filtered, strong password policies, good physical security, encryption used for sensitive data, all servers hardened, back-up media destroyed appropriately, stateful packet inspection firewall on perimeter, Web servers located in a DMZ, packet filtering on all subnet routers, very extensive policies on all aspects of computer security

Networks with a larger IT staff, possibly a full-time security professional


Level 6-7 with regular internal and external security audits, hard drive encryption (such as Windows EFS), possible use of biometrics in physical security (finger print scan), extensive logging, background checks on all IT personnel, all workstations/servers completely hardened, all personnel wear security ID badges, all data transmissions encrypted

Networks with a full-time security professional


Level 8-9 plus security clearance for all IT personnel, monthly updates/patching/auditing, routine penetration testing, Internet usage extremely restricted or blocked altogether, no portable media (CD, floppy, etc.) on workstations, strong physical security including armed guards

Military/research installations

*This does not mean that this level should be found at these types of organizations; this is just where it is likely to be found.

A few observations about Table 12.2 should be made here. The first is that Level 3 is actually the bare minimum any person should be using. Because both Windows 7 and Linux have built-in firewalls, there is no reason that even a home user would not achieve Level 3. Most organizational networks should be able to get a minimum standard of Level 5 or 6. It should also be noted that you probably will not find networks that fit exactly into one of these levels. However, this chart should give you some guidelines for how to evaluate the security level of these systems.

This system is somewhat simplistic, and parts of it are clearly subjective. It is hoped that this will form a basis for you as you begin working on security for your network. Having numerical values to evaluate your threat level can be a great assistance when assessing your security level. The real issue is that you have some quantifiable method for evaluating the security of a given system. This system is presented to you simply because there are very few similar systems in existence today. Most security evaluations are somewhat subjective. This numerical grading system (which is the invention of this author) is offered as a starting point. You should feel encouraged to expand upon it.

  • + Share This
  • 🔖 Save To Your Account