These came across the SIRA mailing list. They were so good, I had to share:
http://eight2late.wordpress.com/2009/10/06/on-the-limitations-of-scoring-methods-for-risk-analysis/
Thanks to Kevin Riggins for finding them and pointing them out.
Tag Archive for 'Science of Risk Management'
Longtime readers know that I’m not the biggest fan of GRC as it is “practiced” today. I believe G & C are subservient to risk management. So let me offer you this statement to chew on:
“A metric for Governance is only useful inasmuch as it describes an ability to manage risk”
True or False, why, and what are the implications if true or false.
Please discuss.
#newschoolsecurity
I’d like to wish US readers a happy Thanksgiving. For those outside of the US, I thought this would be a nice little post for today: A pointer to an article in the Financial Times,
“Baseball’s love of statistics is taking over football“
Those who indulge my passion for analysis and for sport know that I love baseball and love how the “Moneyball” approach challenged decades of dogma in the national pastime with scientific analysis. Today’s financial times discusses how Chelsea (“The Blues” – UK football team) collaborates with the Boston Red Sox (the most superficial bandwagon team ever in baseball) on decision making and analytics.
Best lines:
“Mike Forde, Chelsea’s performance director, visits the US often. “The first time I went to the Red Sox,” he says of the Boston baseball team, “I sat there for eight hours, in a room with no windows, only flipcharts. I walked out of there saying, ‘Wow, that is one of the most insightful conversations on sport I have ever had.’ It was not: ‘What are you doing here? You do not know anything about our sport.’ That was totally irrelevant. It was: ‘How do you make decisions on players? What information do you use? How do we approach the same problems?’”
and:
“Forde sees his task as “risk management”.
Huh.
Our friend Rich Mogull has an interesting post up on his blog called “Always Assume“. In it, he offers that “assumption” is part of a normal scenario building process, something that is fairly inescapable when making business decisions. And he offers a simple, pragmatic process for assumptions which is mainly scenario development, justification, and action. Rich’s process looks like this:
- Assumption
- Reasoning: The basis for the assumption.
- Indicators: Specific cues that indicate whether the assumption is accurate or if there’s a problem in that area.
- Controls: The security/recovery/safety controls to mitigate the issue.
Nothing earth shattering here. And like much of Rich’s work, there is an elegance, almost a minimalism to what he offers.
JUST BECAUSE I CAN’T LEAVE WELL ENOUGH ALONE….
What immediately struck me was how similar Rich’s assumption was to a little something I like to call “scientific method”. In scientific method, we essentially have (the following shamelessly pasted from Wikipedia):
- Characterizations (observations,[24] definitions, and measurements of the subject of inquiry)
- Hypotheses[25][26] (theoretical, hypothetical explanations of observations and measurements of the subject)[27]
- Predictions (reasoning including logical deduction,[28] from the hypothesis or theory) or the identification of distinct and (ideally) mutually exclusive possible discernible outcomes
- Experiments[29] (tests of all of the above)
So if we were to add to Rich’s assumption process above, we’d simply add the “experiments” bits up there. If we’re building controls in like Rich’s examples in his blog post, we might try a “test” that “penetrates” those controls (or, as I believe Richard Bejtlich smartly tries to get us to say, perform “Adversary Simulation”).
Also, though it will probably sour his stomach a bit, we’d also probably want to make Rich’s assumption steps a hamster-wheel-of-pain(TM) by suggesting that since every so often, the threat landscape will change which will challenge our assumptions/conclusions/hypothesis and so re-testing is necessary.
IF I HAD ANY INDICATION…
Rich does have a certain “informality” around his evidence “indication” step that I’d like to build upon. Let me offer that when discussing probability of failure in a complex IT system, there are only four basic categories of information indicators we need to consider in Information Assurance/Security/Risk Management/Protection/Whatever. There might be evidences around:
- Assets (the things we want to protect and their state)
- Threats (the things that want to harm our assets and their state)
- Controls (the things that resist the threats and their state)
- Impacts (the things that will happen if we are unable to resist the threat)
And if you’re going to look for clues to suggest whether there might be a problem, look no further than these basic categories for evidence. If you’d like, you can build structure around what “state” means for each category and further develop taxonomies and metrics and whatnot. That’s the fun bits and I’ll let you be creative rather than write too much this morning.
Note that where these categories applied to Assumption may break down is in discussing management capabilities (are we operating well enough and so forth). Rich’s assumptive process (must.resist.urge.to.make.acronym – RAP) can certainly be used here, I’m just not sure if there wouldn’t be a better taxonomy of indicators.
Hey y’all, happy Monday morning. I’ve put Dave & my presentation for Security BSides up on slideshare:
http://www.slideshare.net/alexhutton/mortmanhutton-security-bsides-presentation
Mortman/Hutton Security B-Sides Presentation
View more presentations from alexhutton.
Also note that this includes the Black Hat presentation we gave on the Mortman/Hutton Vulnerability/Exploit model. I hope you will enjoy!
PS – There’s probably audio available for the preso on the BSides site somewhere if you’re really interested.
What You’ve Said