Archive for the 'Science of Risk Management' Category

Everybody complains about lack of information security research, but nobody does anything about it

Published by Russell on March 9, 2010 in Science of Risk Management, government and research papers. 8 Comments

For some years, I’ve been following the world of academic and industrial research on information security, especially interdisciplinary research.    There is wide-spread agreement on what needs to be done:

But no one seems to be able to mobilize any signficant research into solutions.   It’s been very frustrating to see so much talk and so little action.   

This reminds me of the quote by Mark Twain, shown at left, which is the inspiration for the title of this post.

The latest iteration of this was a panel at RSA: “The role of research in industry and government“.  SC Magazine summarized the discussion this way:

A disconnect between the primary research sectors and a lack of appropriate funding in each is leading to decreased technological progress, exposing a huge gap in security that is happily being exploited by cybercriminals.

(read on for a diagnosis and two proposed solutions…)

Continue reading ‘Everybody complains about lack of information security research, but nobody does anything about it’

Why I Don’t Like CRISC, Day Two

Published by alex on January 20, 2010 in Science of Risk Management. 6 Comments

Yesterday, I offered up a little challenge to suggest that we aren’t ready for a certification around understanding information risk.  Today I want to mention why I think this CRISCy stuff is dangerous.

What if how we’re approaching the subject is wrong?  What if it’s mostly wrong and horribly expensive?

I’m going to offer that we’re still too early on to know the answers to these questions (an offer that if correct, would also serve to prove my point yesterday about CRISC).  But if it turns out that we are doing things incorrectly (and really, what’s the probability that we are doing risk management correctly) – does something like CRISC make it easier or more difficult to change to something more effective?

Obviously, you don’t have to have a degree in Organizational Behavior to identify the problem here. If our approach to risk management is wrong, then CRISC is only going to serve to ensure that we are set in our incorrect ways.

Now where this should *really* upset you, my dear reader, is if you subscribe to various theories about how sciences progress.  If you believe that sciences progress by sporadic, somewhat instantaneous little revolutions – then we’re totally screwing ourselves by creating a bureaucracy that makes it more difficult for the next revolution to take place.  And believe me, as I’ve found out over the past 4 years, creating that revolution in risk management is hard enough already.

Doing threat intelligence right

Published by Russell on January 18, 2010 in Doing it Differently, Links and Science of Risk Management. 2 Comments

From a great article by Robert Jervis, professor of international politics at Columbia University:

The problem isn’t usually – or at least isn’t only – too little information, but too much, most of it ambiguous, contradictory, or misleading. The blackboard is filled with dots, many of them false, and they can be connected in innumerable ways. Only with hindsight does the correct pattern leap out at us, and to fix what “broke” the last time around only guarantees you have solved yesterday’s problem.

Far more important, and useful, is to address the flaws in how we interpret and use the intelligence that we already gather. Intelligence analysts are human beings, and many of their failures follow from intuitive ways of thinking that, while allowing the human mind to cut through reams of confusing information, often end up misleading us. This isn’t a problem that occurs only with spying. It is central to how we make sense of our everyday lives, and how we reach decisions based on the imperfect information we have in our hands. And the best way to fix it is to craft policies, institutions, and analytical habits that can compensate for our very understandable flaws.

[...]

The first and most important tendency is that our minds are prone to see patterns and meaning in our world quite quickly, and then tend to ignore information that might disprove them. Premature cognitive closure, to use the phrase employed by psychologists, lies behind many intelligence failures.

[...]

Second, people pay more attention to visible information than to information generated by an absence. In a famous Arthur Conan Doyle story, it took the extraordinary skill of Sherlock Holmes to see that an important clue in the case was a dog not barking. The equivalent, in the intelligence world, is information that should be there but is not.

[...]

Third, conclusions often rest on assumptions that are not readily testable, and may even be immune to disproof.

I’ll add a fourth — ignoring threat intelligence all together or treating it as taboo.  This may take several forms: ”it’s beyond our control”, “we don’t have good data”, “it’s too hard to quantify”, “we aren’t paid for guess-work”, “we rely on vendors for that”, “everybody knows what the threats are”, “if we bring it up, we will get too many questions we can’t answer”, or other excuses.  (See Josh Corman’s post on the folly of relying on security vendors for your threat intelligence.  Vendors only have incentive to inform you about threats they can mitigate.)

If you want a good methodology for threat intelligence, look at Intel’s.    It was adapted for use by the Information Technology Sector Coordinating Council in their risk assessment for critical IT industry infrastructure.

As good as it is, it could even be better if they had some systematic methods to actively seek out contradictory information and contrary hypotheses about threats.  One simple way to do this is to create a “Mental Model Red Team” whose primary job is to disprove everything you think you know, or at least generate and validate contrary hypotheses.  (For social and cultural reasons, you should probably rotate your staff through this team rather than keeping the team membership fixed.)    Formal methods exist, including “Analysis of Competing Hypotheses” (slides).  (I’m in the process of evaluating a tool for this called SHEBA.  I hope to have a demo read for Mini-metricon, something like this.)  Another possible method is prediction markets, but I’ve never seen them used for this purpose.

For Blog/Twitter Conversation: Can You Defend “GRC”?

Published by alex on December 15, 2009 in Doing it Differently, Science of Risk Management and argument. 15 Comments Tags: , , , , , , , .

Longtime readers know that I’m not the biggest fan of GRC as it is “practiced” today.  I believe G & C are subservient to risk management. So let me offer you this statement to chew on:

“A metric for Governance is only useful inasmuch as it describes an ability to manage risk”

True or False, why, and what are the implications if true or false.

Please discuss.

#newschoolsecurity

Can quantitative risk estimation serve as a guide for every-day policy decisions?

Published by Russell on December 5, 2009 in Science of Risk Management. 7 Comments Tags: , , , .

[Update: The main purpose of this post is to present and demonstrate a method of risk estimation and quantification to support practical policy decision.  The email password policy is just a simplistic case to facilitate the debate.  I also modified the blog post title and the text below to make it clear that this method is aimed to support quantitative risk estimation.]

Our favorite colliquist, Anton Chuvakin, posted a provocative challenge in his blog post “Is Risk Just Too Risky?” :

What is the risk-driven, correct frequency of changing my email password?

<crickets…. silence… more silence>

Yes, we all can quote that “PCI DSS says 90 days” or “whatever regulation says 30 days”, but what does risk say? What actuarial information we need – if we are to define risk through probability of loss? What info about my email usage? Value of information stored there? Frequency of attacks on other similar email accounts? Chances of attack success? My approach to protecting the password? My personal password reuse “policy?” Anything else? On a related note, maybe this is simpler: what is my risk [of having the account compromised] if I change the password every 30 days, 90 days, 300 days?

So, any idea how to go about it?

This little experiment might well show us that “risk-based security” is an awesome thing – but not one achievable in this world today… [emphasis in original]

I wanted to blog about this, but hadn’t collected enough specifics.  Now I can, thanks to the blog conversation by David Mortman, Rich Mogull,  Chris Popper, and “Steve”, we have some smart/experienced people providing the needed detail.

Below, I offer a method for reasoning in order to estimate relative risk of alternatives that is compatible with quantitative risk analysis management, but doesn’t require massive amounts of risk calculations.  I use the conversation by Mortman, et. al. as an example of this method in action (armchair-style).

Continue reading ‘Can quantitative risk estimation serve as a guide for every-day policy decisions?’

Miscommunicating risks to teenagers

Published by Russell on December 2, 2009 in Amusements, Science of Risk Management and presentation. 4 Comments

Security programs that depend on 100% compliance are a bad idea, especially if they depend on 100% compliance from people who are proven to be poor in compliance capabilities.

Case in point:  I saw a documentary about “Abstinence only” sex education programs for teens in the public schools of New Mexico — one negative example in Albuquerque and one positive example in Socorro.   (This is federally funded.)  Skipping over the most aggregious errors and misstatements in these programs, I noticed one big blooper regarding risk estimation and risk communication.

The educators who developed and deliver this program emphasize the failure rate of condoms as argument against relying on them.  In contrast, abstinence-only is touted because it is 100% effective in preventing unplanned pregnancy and all the negative stuff that goes along with it.  Funny thing–they never mentioned the failure rate of abstinence-only when implemented by teenagers!     Sure, you can tell teenagers to be abstinent and they can even commit to it, but would you bet on it?   What odds would you demand for a large bet(say, $100,000 from your bank account) that a large group of teens would remain abstinent for five years?  There are plenty of studies (e.g. here and here) that demonstrate the limited capabilities of teens to avoid risky behavior, control impulses, rationally balance short-term gain against long-term pain, think beyond a short planning horizon, resist peer pressure, etc.    For most teens in the US, their “failure rate” (i.e. failing to avoid risky behaviors) is greater than 0%, and in cases of “multiple-risk adolescents ” the failure rate is far above 0%.

full-body condom

I would bet that condoms are much more reliable than the average teenager’s commitments to eschew immediate pleasures.   Of course, using both would be much more reliable than either alone.   This is “defense in depth”, of course.  Better still, take it to the max and advise that they add a “full-body condom”.  Then they would be “fer sher,  fer sher!”, as the Valley Girl might say. :-)

For Those Not In The US (or even if you are)

Published by alex on November 26, 2009 in Data Analysis, Science of Risk Management and metrics. 0 Comments Tags: , .

I’d like to wish US readers a happy Thanksgiving. For those outside of the US, I thought this would be a nice little post for today: A pointer to an article in the Financial Times,

Baseball’s love of statistics is taking over football

Those who indulge my passion for analysis and for sport know that I love baseball and love how the “Moneyball” approach challenged decades of dogma in the national pastime with scientific analysis.  Today’s financial times discusses how Chelsea (“The Blues” – UK football team) collaborates with the Boston Red Sox (the most superficial bandwagon team ever in baseball) on decision making and analytics.

Go Blues

Best lines:

“Mike Forde, Chelsea’s performance director, visits the US often. “The first time I went to the Red Sox,” he says of the Boston baseball team, “I sat there for eight hours, in a room with no windows, only flipcharts. I walked out of there saying, ‘Wow, that is one of the most insightful conversations on sport I have ever had.’ It was not: ‘What are you doing here? You do not know anything about our sport.’ That was totally irrelevant. It was: ‘How do you make decisions on players? What information do you use? How do we approach the same problems?’”

and:

“Forde sees his task as “risk management”.

Huh.

Rich Mogull’s Divine Assumptions

Published by alex on November 13, 2009 in Science of Risk Management. 0 Comments Tags: , , , .

Our friend Rich Mogull has an interesting post up on his blog called “Always Assume“.  In it, he offers that “assumption” is part of a normal scenario building process, something that is fairly inescapable when making business decisions.  And he offers a simple, pragmatic process for assumptions which is mainly scenario development, justification, and action.    Rich’s process looks like this:

  1. Assumption
  2. Reasoning: The basis for the assumption.
  3. Indicators: Specific cues that indicate whether the assumption is accurate or if there’s a problem in that area.
  4. Controls: The security/recovery/safety controls to mitigate the issue.

Nothing earth shattering here.  And like much of Rich’s work, there is an elegance, almost a minimalism to what he offers.

JUST BECAUSE I CAN’T LEAVE WELL ENOUGH ALONE….

What immediately struck me was how similar Rich’s assumption was to a little something I like to call “scientific method”.  In scientific method, we essentially have (the following shamelessly pasted from Wikipedia):

So if we were to add to Rich’s assumption process above, we’d simply add the “experiments” bits up there.  If we’re building controls in like Rich’s examples in his blog post, we might try a “test” that “penetrates” those controls (or, as I believe Richard Bejtlich smartly tries to get us to say, perform “Adversary Simulation”).

Also, though it will probably sour his stomach a bit, we’d also probably want to make Rich’s assumption steps a hamster-wheel-of-pain(TM) by suggesting that since every so often, the threat landscape will change which will challenge our assumptions/conclusions/hypothesis and so re-testing is necessary.

IF I HAD ANY INDICATION…

Rich does have a certain “informality” around his evidence “indication” step that I’d like to build upon.  Let me offer that when discussing probability of failure in a complex IT system, there are only four basic categories of information indicators we need to consider in Information Assurance/Security/Risk Management/Protection/Whatever.  There might be evidences around:

  • Assets (the things we want to protect and their state)
  • Threats (the things that want to harm our assets and their state)
  • Controls (the things that resist the threats and their state)
  • Impacts (the things that will happen if we are unable to resist the threat)

And if you’re going to look for clues to suggest whether there might be a problem, look no further than these basic categories for evidence.  If you’d like, you can build structure around what “state” means for each category and further develop taxonomies and metrics and whatnot.  That’s the fun bits and I’ll let you be creative rather than write too much this morning.

Note that where these categories applied to Assumption may break down is in discussing management capabilities (are we operating well enough and so forth).  Rich’s assumptive process (must.resist.urge.to.make.acronym – RAP) can certainly be used here, I’m just not sure if there wouldn’t be a better taxonomy of indicators.

How to Value Digital Assets (Web Sites, etc.)

Published by Russell on October 20, 2009 in Data Analysis and Science of Risk Management. 6 Comments

Many security management methods don’t rely on valuing digital assets.  They get by with crude classifications (e.g. “critical”, “important”, etc.).  But if you need to do financial justification or economic analysis of security investments or alternative architectures, especially risk analysis, then you need something more precise and defensible.

This tutorial article presents one method aimed at helping line-of-business managers (“business owners” of digital assets) make economically rational decisions.  It’s somewhat simplistic, but it does take some time and effort.    Yet it should be feasable for most organizations if you really care about getting good answers.  Warning: No simple spreadsheet formulas will do the job.  Resist the temptation to put together magic valuation formulas based on traffic, unique visits, etc.

(This is a long post, so read on if you want the full explanation…) 
Continue reading ‘How to Value Digital Assets (Web Sites, etc.)’