The Blog Inspired By The Book
Longtime readers know that I’m not the biggest fan of GRC as it is “practiced” today. I believe G & C are subservient to risk management. So let me offer you this statement to chew on:
“A metric for Governance is only useful inasmuch as it describes an ability to manage risk”
True or False, why, and what are the implications if true or false.
Please discuss.
#newschoolsecurity
Jerry escapes death, but is it cost-free?
If one of your security metrics is Data Breach Cost, what is the cost of a near miss incident? This seemingly simple question gets at the heart of security metrics problem.
Consider the gleeful Jerry Mouse in this cartoon. Tom the Cat has just missed in his attempt to swat Jerry and turn him into mouse meat. Is there any cost to Jerry for this near miss? Is Jerry’s cost any different than if he was running with Tom no where in sight?
By “near miss” I mean a security incident or sequence of incidents that could have resulted in a severe data breach (think TJX or Heartland), but somehow didn’t succeed. Let’s call the specific near-miss event “NM” for short. For sake of argument, let’s assume that the lack of attack success was due to dumb luck or attacker mistakes, not due to brilliant defenses or detection. Let’s say that you only discover NM long after the events took place. For simplicity let’s assume that discovering NM doesn’t result in any extraordinary costs, meaning that out-of-pocket costs are the same just before and immediately after NM. Finally, assume that your expected cost of a successful large-scale data breach is on the order of tens of millions, with the worst case being hundreds of millions of dollars.
How much does NM cost? The realist answer is “zero”. (Most engineers are realists, by disposition and training.) There is a saying in street basketball that expresses the realist philosophy about losses and associated costs: “No blood, no foul”. If you ask your accountants to pour over the spending and budget reports, they will probably agree. Case closed, right?
Not so fast….
In his blog, Luther Martin has been advising caution about the use of risk assessment and risk management methods for information security. In many posts, he’s out-right skeptical, and seems to be advising against it. Here’s the most recent example, from the post “The two-envelope problem in risk management” [emphasis added]:
Does it make sense to never change your information security strategy? That’s a possible consequence of the so-called two-envelope paradox. This is a problem in probability theory that has confused students of probability theory for over 50 years.
[explanation of the problem and how it applies to InfoSec investments]
The bottom line is probably that probability is a complicated and subtle concept, which means that risk management, which relies on it, also is.
Luther and I agree on his bottom-line statement. This stuff can be complicated and subtle. It is easy for college-educated professionals and executives to make mistakes that lead to erroneous conclusions. In fact, Luther’s own blog post is a case study in how easy it is to make mistakes.
Luther uses the “Two Envelopes Problem” in probability theory as an example where Bayesian (subjectivist) probability methods seem to break down in paradox. Here’s the problem and paradox, leaving out the math for now (details at the end):
The player is given two indistinguishable envelopes, each of which contains a positive sum of money. One envelope contains twice as much as the other. The player may select one envelope and keep whatever amount it contains, but upon selection, is offered the possibility to take the other envelope instead ["switch"].
[...Bayesian analysis, leading to the decision to "switch", and then "switch" again, ad infinitum...]
As it seems more rational to open just any envelope than to swap indefinitely, the player is left with a paradox.
Following Wikipedia, Luther points out that ”There’s a problem with this argument, of course, but it’s fairly subtle. Even specialists in probability theory don’t agree what the problem actually is,…”. Luther then applies Two Envelopes Problem structure to an analogous problem in information security (I’ll call it “Two Technologies”):
Now let’s suppose that we can’t find a flaw in the above argument and we apply it to our information security strategy. Let’s suppose that we have some initial set of technology, policies and procedures that end up giving us some exposure to risk that we’ll denote R, and if we change to a different set of technology, policies and procedures, we might either increase the risk to 2R or decrease it to R/2. If we apply the same reasoning that we applied above, we find that it never pays to change, because the alternative always has a greater than the risk than what we have now. This clearly doesn’t make sense, but it’s what you might get if you do a risk analysis that isn’t as careful as it could be.
This seems OK on the surface, but Luther has made a mistake in framing the Two Technologies problem. Simply put, his Two Technologies problem is not structured the same as the Two Envelopes problem. Therefore Bayesian formulas for the Two Envelopes does not fit his Two Technologies problem. Even if it did, a proper framing of the Bayesian analysis avoids the paradox. (For math details, see below).
So, yes, probability and risk management can be complicated and subtle. But Luther’s use of the Two Envelopes Problem and his attempt to construct the same problem in InfoSec only supports this conclusion through the “covert channel” of his own mistakes.
Is Luther implying that we shouldn’t even try risk assessment and management because it’s beyond our ken? “Yes” seems to be the answer, if I understand his posts in the “risk” category. What alternative to risk management is Luther proposing? In another post, he suggest that we should just use trial-and-error to muddle through:
In the absence of reliable risk information, a similar approach to information security may be the best that we can do – just try different things and see which works the best. You might call this approach “experimental security.” There may be no better approach.
If someone can prove that risk assessment/management for InfoSec is impossible in principle, then Luther would be right. But I know of no such proof of impossibility. Just because we currently find risk management to be “complicated and subtle” doesn’t mean we should dump it. We do need tools and frameworks that are up to the job and sufficiently usable to help ordinary people avoid the paradoxes and ratholes in the analysis. As our academic colleagues would say: “further research is needed”.
(For mathematical details, read on…)
Continue reading ‘Is risk management too complicated and subtle for InfoSec?’
Check out Richard Bejtlich’s Information Security Incident Rating post. In it, he establishes qualitative, color-based scales for various asset-states in relation to the aggregate threat community. As Richard states, he’s not modeling risk, but rather he’s somewhat modeling half of risk (in FAIR terms, an attempt at TEF/LEF/TCap information, just not the loss magnitude side).
I say “somewhat” modeling because I find interesting is that Richard seems to be discussing probabilistic statements in the “greens” there (“my opinion/guess is that it would take some degree of force to compromise asset in question based on my admittedly incomplete knowledge of the control state”) , and then adding to that nature-state assessments (“here is the current state of attack/compromise”) in the rest of the spectrum.
Now obviously the probabilistic statements would eventually require more effort once some substantial level of organizational maturity has been achieved, but this sort of asset-state spectrum would be useful in establishing high-level assessments of the asset landscape. It would allow the CISO (esp. a new CISO who finds herself in an environment fraught with “unknown, unknowns”) to create a relatively quick view of enterprise “vulnerability” (to borrow FAIR’s concept) and help begin the achievement of knowledge around enterprise risk management capability.
Other uses could eventually contribute significantly to risk models. Obtaining accurate current/past Category 3 (the orange there) information would be *really* useful for creating probabilistic statements around threat models and risk models. As I mentioned above, the Vuln ratings can be broken down to assist risk and risk management modeling (yeah, I continue to maintain that they are two different things despite what all the standards out there say, more on that tomorrow). Finally, studying time frames and abilities around the post-compromise state (Breach 3-1, there) around incidents would be useful in establishing risk management model belief statements, as well.
One small problem I would have using this on an aggregate level would be the lack of granularity around the threat community w/regards to “impact” levels 1-5. I might not really care if a script kiddie is doing reconnaissance, but if the recon is coming from someone in an internal administrative role, a contractor who has privileges, etc…
That said, my significant problem with Bejtlich’s model there has to do with *why* he created it. He asks:
What do you think of this rating system? I am curious to hear how others explain the seriousness of an incident to management.
To which my obvious response is, “why should management care about any of this when it doesn’t include impact”? Even at it’s darkest colors, the scale is subject what I call the tree falling in the woods problem – does vulnerability or compromise matter independent of an impact statement? Without impact, are we just “multiplying by zero”?
More directly, can you imagine going to a CFO with this but without impact information? Wouldn’t you kind of look foolish if you said, when questioned about (probable) impact, “Well, then we would be modeling risk, and you know we can’t do that”?
What You’ve Said