Although Gartner customers almost never complain about false positive rates, I wonder if false positives are under estimated. End users rarely complain about false positives, but they are very vocal reporting Spam in their inbox. Box Sentry (www.boxsentry.com) recently did a tests in a number of organizations and found the false positive rate in some organizations using popular anti-spam tools was as high as 13% of legitimate emails. The largest proportion of false positives in their study was legitimate person-to-person traffic.  While it could be that these organizations have over-tuned their systems to block more Spam at the expense of quarantining more legit email, the reality was the email administrators had no idea they had such a high false positive rate because they never checked.  Have you? 

Going further, it would be very valuable to estimate the cost of false positives.

As I’ve discussed in a previous post, this is just another instance of a general problem in the security industry.  You can’t do rational analysis of effectiveness, cost-effectiveness, risk, and the rest without some estimate of false positive rates and their costs.

In that post, he argues for a model where

Ideally, this program should be “idea capitalists”, knowing some people and ideas won’t payoff but others will be huge winners. One thing for sure — we shouldn’t focus this program only on people who have been “officially” annointed by some hierarchy, some certification program, or by credentials alone.

I agree that a focus on those anointed won’t help, but that doesn’t mean it’s easy to set up such an institution.

The trouble with the approach is that we have such institutions (*ARPA, venture capital) and they’ve all failed for institutional reasons. However high their aspirations, such organizations over time get flack from their funders over their failures, their bizarre and newsworthy ideas and the organizations become conservative. They trend towards “proven entrepreneurs” and incrementalism. The “Pioneer Fellows” idea does not overcome this structural issue. (There is an argument that the MacArthur genius grants overcome it. I’m not aware of any research into the relative importance of work done before and after such grants, but I have my suspicions, prejudices and best practices.)

Of course, I might be wrong. If you have a spare million bucks, please set this up, and we can see how it goes. An experiment, if you will.

Experiments are a big part of why Andrew and I focused on free availability of data. With data, those with ideas can test them. There will be a scrum of entrepreneurial types analyzing the data. Fascinating stuff will emerge from that chaos. With evidence, they will go to the extant ‘big return’ organizations and get funding. Or they’ll work for big companies and shift product directions.

That is, the issue in infosec is not a lack of interesting ideas, it’s the trouble in testing them without data. We need data to test ideas and figure out how they impact outcomes.

In addition, while traditional bank robbers are limited to the amount of money they can physically carry from the scene of the crime, cyber thieves have a seemingly limitless supply of accomplices to help them haul the loot, by hiring so-called money mules to carry the cash for them.

I can’t help but notice one other important distinction between these two types of bank crimes: The federal government sure publishes a lot more information about physical bank robberies that it makes available about online stick-ups.

Go read “Cyber Crooks Leave Traditional Bank Robbers in the Dust” by Brian Krebs. Then ask why we sweep these crimes under the rug.

• A Roadmap for Cybersecurity Research, by DHS
• National Cyber Security Research and Development Challenges , by the I3P
• Toward a Safer and More Secure Cyberspace, National Academies
• Report to the President on Cyber Security: A Crisis of Prioritization , by PITAC
• Ensuring (and Insuring?) Critical Information Infrastructure Protection, 2005 Rueschlikon Conference on Information Policy
• Four Grand Challenges in Trustworthy Computing , Computing Research Association Conference, 2003
• Others

But no one seems to be able to mobilize any signficant research into solutions.   It’s been very frustrating to see so much talk and so little action.   

This reminds me of the quote by Mark Twain, shown at left, which is the inspiration for the title of this post.

The latest iteration of this was a panel at RSA: “The role of research in industry and government“.  SC Magazine summarized the discussion this way:

A disconnect between the primary research sectors and a lack of appropriate funding in each is leading to decreased technological progress, exposing a huge gap in security that is happily being exploited by cybercriminals.

(read on for a diagnosis and two proposed solutions…)

Part of the problem is the the incentives to focus research on problems and not solutions.  I run into this a lot at academic and other “thought leadership” conferences.  Here’s how it was explained to me: It’s much easier to do a modest-sized research project that shows yet another failure in the economics of security than it is to do the complex, large-scale research that would be necessary to develop both theory and empirical support for solutions. 

The bias toward complaining and against doing research work is even stronger at industry conferences.  I don’t blame any individuals.  Simply put, everyone has a day job that pays them to solve near-term problems and deliver immediate payoffs.   High-risk, fundamental research does not fit that template.

There was one recent attempt to mobilize breakthrough research — the “National Cyber Leap Year Summit” last August, sponsored by NITRD.  As I’ve previously written, that effort was largely a waste of time and money because you can’t brainstorm your way through hard problems like this.

Gene Spafford (a.k.a. “Spaf”) is one person who has thought long and hard about how to effectively mobilize and support interdisciplinary information security research.  In the second half of this blog post, he mentions a white paper that he has been circulating in DC for feedback.   The white paper advocates “changing the way we fund some of the research and education in the US in cybersecurity” and makes specific recommendations.  It’s a good read and very thoughtful suggestions.  The second of his two suggestions can be summarized:

I suggest a program similar in nature to the MacArthur “Genius Grants” program: the ISPEG, or Information Security and Privacy Extended Grant. Some agency or agencies would provide ISPEG funding to a small number of researchers in multi-year fashion, to “do good things” in cybersecurity and privacy. The intent would be to fund these individuals without requiring specific proposals or highly structured budgets, and with minimal requirements for deliverables and constraints. The researchers would be encouraged to exercise vision and leadership to the betterment of the country and the field of cybersecurity. If they are carefully selected, this will naturally follow.

A small set of ISPEG awardees [should be] chosen annually. These individuals will be senior academic, tenured faculty, chosen on the basis of past accomplishments specifically in the fields of information security and privacy, and because of a commitment to service and education. [emphasis added]

I think this is a keen idea overall.  Several formal studies of scientific performance have shown that the most productive method for acheiving major research innovations is through senior, experienced researchers who have both freedom and adequate support over an extended period of time.  However, Spaf’s model is aimed at supporting only academic researchers and only those researchers who have been blessed by the academic system (“tenured”).  Yes, they merit this sort of support, but they aren’t the only people who can or should play in the advanced research arena. Therefore I want to propose another idea that could work in parallel with ISPEG.

Proposal: Information Security Pioneers Fellowship Program (ISPFP)

Here’s how it might work. A non-profit organization would administer the program and would be the “home” for a number of individuals (the “Pioneer Fellows”) who would have financial and institutional support for a period of time. In return for this support, they would serve as catalysts, leaders, orchestrators, and even program managers for innovative interdisciplinary research projects, esp. those that involve industry, academic, and government partners. They could also work on projects and activities that enable advanced research or help bring advanced research results to the masses: in education, industry, or government policy. For example, here are some specific project ideas that would be well suited for Pioneer Fellows:

• Organizing and leading multi-organization proposal teams for advanced interdisciplinary InfoSec research projects (“Broad Agency Announcments” from DARPA, DHS, NSF, NIST, others).
• Leading the specification and field testing of security metrics, e.g. Center for Internet Security’s consensus metrics , and also pilot implementations.
• Leading the design and implementation of a statistically robust survey of information security practices, metric results, and costs, to displace the current “Computer Crime and Security Survey” (CSI/FBI).  (“Statistically robust” would include random sampling of organization populations, for example.)
• Design and help implement a “Cyber CDC” for advanced vulnerability and threat research and intelligence.
• Organize, lead, and/or collaborate in international research projects. 
• Help integrate economics, organization science, and behavioral science into education, training, and certification programs for security managers and executives.

Being a non-profit (preferably 501c3), they could accept and administer donations from many sources — corporations, foundations, and government. This would open the door to funding from many sources, including organizations that don’t usually provide funding, including VCs, industry associations, privacy advocates, IT vendors and consultants of all stripes, etc.

The fellowship period and applicant qualifications are open to consideration.  Ideally, this program should be “idea capitalists”, knowing some people and ideas won’t payoff but others will be huge winners.  One thing for sure — we shouldn’t focus this program only on people who have been “officially” annointed by some hierarchy, some certification program, or by credentials alone. 

OK… now for all of you who might be frustrated with lack of action, this message is for you:  THIS IDEA COULD BE IMPLEMENTED IMMEDIATELY!

Sorry to shout, but I want that message to hit you between the eyes.

First, there are several candidates for host institution:

• Center for Internet Security
• Security Innovation Network (SINET)
• European Network and information Security Agency (ENISA)

Second, there are a good list of possible projects, not only the list above but also ideas from any of the reports listed at the top of this post. 

Third, there are plenty of good candidates for Pioneer Fellows.  Just look for the people who are already doing pioneer work on their own dime or in their “spare time”.

Fourth, the funding would probably start flowing if the right executives were in the same room at the same time, and someone with sufficient “gravitas” asked for the order.  $35K to $50K per major sponsor is reasonable and comparable to other sponsorship arrangements.  Ten major sponsors would fund 8 to 10 Fellows, assuming they paid full salaries. Once this is all in place, we could probably solicit a “foundational grant” from a major government agency to ramp up recruitment and other administrative parts of the process.

That’s a sketch of the idea.  What do you think?

After RSA, I’ll have more to say about how it came about, how it helps you and how very new school it is. But if you’re here, you should come get a deck at the Microsoft booth (1500 row).

]]> http://newschoolsecurity.com/2010/03/elevation-of-privilege-the-threat-modeling-game/feed/ 0 http://newschoolsecurity.com/2010/03/adam-signing-today-at-rsa/ http://newschoolsecurity.com/2010/03/adam-signing-today-at-rsa/#comments Wed, 03 Mar 2010 15:38:33 +0000 adam http://newschoolsecurity.com/?p=1396 I’ll be in the RSA bookstore today at noon, signing books. Please drop on by.

PS: I’m now signing Kindles, too.

In his first public speaking engagement at the RSA Conference, which is scheduled to open Tuesday, Mr. Schmidt said he would focus on two themes: partnerships and transparency.

I’m very happy that in a little under two years since we published the New School, transparency has taken a role on center stage. Obviously, I wouldn’t claim all the credit for that. At the same time, I’m happy that we’ve contributed to re-orienting people and accelerating this important change.

]]> http://newschoolsecurity.com/2010/03/howard-schmidts-talk-at-rsa/feed/ 0 http://newschoolsecurity.com/2010/03/the-economist-on-breach-disclosure/ http://newschoolsecurity.com/2010/03/the-economist-on-breach-disclosure/#comments Mon, 01 Mar 2010 20:19:01 +0000 adam http://newschoolsecurity.com/?p=1391 In “New rules for big data,” the Economist seems to advocate for more disclosure of security problems:

The benefits of information security—protecting computer systems and networks—are inherently invisible: if threats have been averted, things work as normal. That means it often gets neglected. One way to deal with that is to disclose more information. A pioneering law in California in 2003 required companies to notify people if a security breach had compromised their personal information, which pushed companies to invest more in prevention. The model has been adopted in other states and could be used more widely.

In addition, regulators could require large companies to undergo an annual information-security audit by an accredited third party, similar to financial audits for listed companies. Information about vulnerabilities would be kept confidential, but it could be used by firms to improve their practices and handed to regulators if problems arose. It could even be a requirement for insurance coverage, allowing a market for information security to emerge.

I think it’s cool. You don’t. Discuss.

]]> http://newschoolsecurity.com/2010/03/the-economist-on-breach-disclosure/feed/ 3 http://newschoolsecurity.com/2010/02/human-error-and-incremental-risk/ http://newschoolsecurity.com/2010/02/human-error-and-incremental-risk/#comments Tue, 23 Feb 2010 13:45:41 +0000 Chandler Howell http://newschoolsecurity.com/?p=1375 As something of a follow-up to my last post on Aviation Safety, I heard this story about Toyota’s now very public quality concerns on NPR while driving my not-Prius to work last week.

Driving a Toyota may seem like a pretty risky idea these days. For weeks now, weve been hearing scary stories about sudden acceleration, failing brakes and car recalls. But as NPRs Jon Hamilton reports, assessing the risk of driving a Toyota may have more to do with emotion than statistics.

Emotion trumping statistics in a news article?  Say it isn’t so!

Mr. LEONARD EVANS (Physicist, author, Traffic Safety): The whole history of U.S. traffic safety has been one focusing on the vehicle, one of the least important factors that affects traffic safety.

HAMILTON: Studies show that the vehicle itself is almost never the sole cause of the accident. Drivers, on the other hand, are wholly to blame most of the time. A look at data on Toyotas from the National Highway Traffic Safety Administration confirms this pattern.

Evans says his review of the data show that in the decade ending in 2008, about 22,000 people were killed in vehicles made by Toyota or Lexus.

Mr. EVANS: All these people were killed because of factors that had absolutely nothing to do with any vehicle defect.

HAMILTON: Evans says during that same period, its possible, though not yet certain, that accelerator problems in Toyotas played a role in another 19 deaths, or about two each year. Evans says people should take comfort in the fact that even if an accelerator does stick, drivers should usually be able to prevent a crash.

(bold mine)

From 1998 to 2008, about 2,200 people per year (out of a total of about 35,000 total vehicle deaths per year) died in Toyotas because of some sort of non-engineering failure.  During that same period, just under two people were killed per year due to the possible engineering failure.  So all this ado is about, at most, a 0.09% increase in the Toyota-specific death rate and a 0.005% increase in the overall traffic death rate.

So why is the response so excessive to the actual scope of the problem?  Because the risk is being imposed on the driver by the manufacturer.

Mr. ROPEIK[(Risk communication consultant)]: Imposed risk always feels much worse than the same risk if you chose to do it yourself. Like if you get into one of these Toyotas and they work fine, but you drive 90 miles an hour after taking three drinks. That won’t feel as scary, even though its much riskier, because you’re choosing to do it yourself.

And, lest we forget, even in the case where the accelerator did stick there was still a certain degree of human error:

Mr. EVANS: The weakest brakes are stronger than the strongest engine. And the normal instinctive reaction when you’re in trouble ought to be to apply the brakes.

My frustration is when I compare the reality of the data with most of the reporting on the subject, I think of Hicks’ Hudson’s NSFW “Game Over” rant. (Corrected per the comments.  Thanks, 3 of 5!)

After all, given that you’re more likely to die in your home (41%) than in your car (35%), you’re still statistically safer taking to the road than sitting home cowering in fear of your Prius.

Human error has been implicated in 70 to 80% of all civil and military aviation accidents. Yet, most accident reporting systems are not designed around any theoretical framework of human error. As a result, most accident databases are not conducive to a traditional human error analysis, making the identification of intervention strategies onerous. What is required is a general human error framework around which new investigative methods can be designed and existing accident databases restructured. Indeed, a comprehensive human factors analysis and classification system (HFACS) has recently been developed to meet those needs.

Consider that pilots, whether private, commercial, or military, are one of the more stringently trained and regulated groups of people on the planet.  This is due, at least in part, to the history of aviation.  As the report notes,

In the early years of aviation, it could reasonably be said that, more often than not, the aircraft killed the pilot. That is, the aircraft were intrinsically unforgiving and, relative to their modern counterparts, mechanically unsafe. However, the modern era of aviation has witnessed an ironic reversal of sorts. It now appears to some that the aircrew themselves are more deadly than the aircraft they fly (Mason, 1993; cited in Murray, 1997). In fact, estimates in the literature indicate that between 70 and 80 percent of aviation accidents can be attributed, at least in part, to human error (Shappell & Wiegmann, 1996).

One upon a time, operating an airplane was so dangerous that only highly-skilled experts could do it, and even then the equipment would get out of their control and crash.  Later (yet still almost twenty years ago), the equipment improved to the point that equipment failure no longer overshadowed operator error, but planes still get out of control and crash.

Other than the fact that pilots are almost universally still highly-skilled and/or trained operators, this doesn’t sound all that different from the evolution of computing.

Flight has obviously never really had the adoption rate explode like PC’s in the Age of the Web, but there is still a strong parallel between aircraft accidents and Information Security failures.  This assertion becomes even more true once the paper gets into James Reason’s “Swiss Cheese” model of understanding root causes of aircraft accidents.

Reason identifies four factors that interact with each other increase accident rates, which I’ll paraphrase as:

1. Unsafe Acts — This is the cause of the active failure (i.e. crash), such as a poor decision or a failure to watch the instruments or otherwise recognize the unsafe situation was forming or occurring
2. Preconditions for Unsafe Acts– Situations that increase risk of an accident, such as miscommunication between aircrew members or with others outside the aircraft, such as air traffic control
3. Unsafe Supervision– failures of management or leadership to recognize when they are, for example, pairing inexperienced pilots together in less-than-optimal conditions
4. Organizational Influences — Usually business-level decisions, such as reducing training hours to reduce costs

How familiar does this sound?  If you’ve ever read an IT Audit report, this should seem painfully familiar, even if only analogously.  The paper provides a strong taxonomy within each area, and I could easily drill down at least one more level into each one.  Read the paper to learn more and become a better professional problem solver, security-related or otherwise.

For example, using a real-world case I dealt with recently.  This is an easy example which ties the four levels together more neatly than many, so consider it an “Example-Size Problem” and extend as you see appropriate.

The incident was the loss of sensitive business information, which I personally believe hurt the company in a negotiation:

1. Unsafe Act:  The VP left his unencrypted laptop unattended while at a meeting — this was the Active Failure/Unsafe Act that led to the Mishap
2. Preconditions:  The VP assumed that others were watching his laptop, but did not explicitly confirm this fact
3. Unsafe Supervision:  Despite knowing that Executives are high-risk users with regards to sensitive information on their laptops, the IT Executive Support Team had recommended against deploying Full-Disk Encryption on executives’ laptops because they feared being held accountable if an executive lost information due to an encryption system failure
4. Organizational Influences:  While a Laptop Encryption Policy existed and specified that the VP should have been encrypted for multiple reasons, the policy was widely ignored, there was no cultural pressure to ensure that mobile information was protected, and thus compliance was unacceptably low.  No pressure to comply was generated by Executive management because the cost associated with doing so was considered to be prohibitive.

In this case, the damage (opportunity cost) of lost revenue due to that single lost laptop was many multiples of the complete cost of deploying a Full-Disk Encryption system.  Unfortunately, in the absence of a comprehensive analysis of the series of failures leading up to the unsafe act, the real root cause of an incident may be ignored or mis-assigned, leading to either an incomplete or unsustainable remediation course.

When incidents occur, it’s rare to see a true and honest assessment not just what went wrong, but why.  Too often, in fact, the culture seems to be to put it down to, “nobody could have predicted it.”  Reject these assessments.  To improve an organization, we must refuse to accept these explanations.  Instead, find the root cause–all the way up to the Organizational Influences–and then Fix It.