My apologies.  I know I’m already late in writing a follow-up to my post on aggregate risk, but client work has been fast and furious lately (a Good Thing).  I’m still working on it though.  That said, I just can’t resist the need/desire to comment on someone else’s misleading post on the subject of risk analysis.

This time it’s Richard Bejtlick, who appears to be on the warpath again.  And, while Richard is extremely intelligent and well established as an expert in many security-related matters, I’d argue that he’s not an expert in risk.  It’s clear that he reads on the topic, but he appears to interpret it through an infosec lens which, I believe, tends to be badly distorted by some unfortunate/inaccurate biases in the industry.  That said, let’s examine some of his concerns and see what we can learn…

“False precision”

On this point, Richard and I agree — the notion of precision in risk analysis (whether infosec-related or some other form of risk) is absurd.  The future is uncertain, and risk analysis is fundamentally a discussion of the future.  A precise statement (i.e., prediction) of exactly when something will happen, or how often, or to what effect, just isn’t feasible in a complex problem space like risk.  Where Richard and I appear to differ, however, is in our understanding of what risk analysis is and isn’t.

Risk analysis isn’t (or shouldn’t be) put forth as a prediction of the future, but rather as a statement of probabilities given what’s known or believed.  Much like a statement that there’s a 1/36th probability of rolling snake-eyes given that a pair of dice has six sides each, and that the dice have independent probabilities.  Nobody in their right mind would believe they could predict on which roll the dice will come up snake-eyes, but it’s still very useful as a decision-maker to know what the probabilities are.

Analysis results also should reflect the degree of (un)certainty involved, so that people making decisions based on the analysis have realistic expectations.  This is where the use of distributions and ranges become very useful in portraying uncertainty and imprecision.  However, if I read Richard’s post correctly, he considers all risk analyses to be useless because they can’t predict the future (i.e., aren’t precise).

This “if it ain’t precise, it ain’t useful” position is one I run into frequently in the infosec community, presumably because the profession is made up of so many people with engineering backgrounds who are used to measuring things relatively precisely.  Or, maybe, Richard’s just pointing out that many risk analyses are flawed because they don’t do a good job of conveying the degree of imprecision involved.  He’s really not clear on that, and seems to paint the entire issue with a single broad brush stroke.

“Overweighting things that can be counted”

Here again, I tend to agree with Richard about the fundamental problem.  There is an unfortunate tendency to look around us for things that can be easily counted, and then assume that they comprise the whole picture.  This may not be as significant a problem if you’re dealing with something that has a large volume of relatively clean data to work from, but is a huge problem when good data is sparse.  For example, if I want to construct models of human life expectancy in order to profit as a life insurance provider, I can probably find enough good data to do so.  Unfortunately, in the infosec realm, good data is harder to come by.  As a result, models derived from available hard infosec data are much less likely to be complete/accurate.

What I’ve described above, however, is an inductive approach to modeling — i.e., evaluate data to derive a model.  The other approach to modeling is deductive.  I’ll spare you a long-winded comparison and let you research these further if you’re interested but, simply stated, a deductive approach constructs a model based on logical (and believed to be) true relationships between premises.  For example, a model that states “Loss events are predicated on threat events and vulnerability to those threat events” is logical and “true”.  We didn’t need data to construct that model — it just makes sense logically.

Does that mean that deductive models are always accurate?  Heck no.  They’re subject to potential problems too, but if they’re well thought-out they’re less likely to have the gaps an inductive model built on sparse data is likely to have.  Deductive models also act as a guide to knowing what data we need in order to perform analyses.

Keep in mind though, that “All models are wrong (i.e., imprecise), some are useful“.  As I’ve said before, the world is far too complex to model exactly.  Nonetheless, we should be looking for accuracy and a useful degree of precision in our models, which is entirely feasible.  Also, all models should be flexible enough to be adjusted as data and experience improves.

“Man with a spreadsheet syndrome”

Richard’s basic concern is valid — spreadsheets often connote a sense of validity that isn’t always warranted.  It isn’t logical, however, to conclude that because some spreadsheets (or other quantitative tools) are flawed, all must be.  Maybe that isn’t what he meant, but Richard tends to use a broad brush, so it’s hard to tell sometimes what he’s really saying.

At the end of the day, the validity of a spreadsheet boils down to model accuracy and the quality of data.  Since we’ve already covered models, I guess it’s time to cover data…

“A lot of guessing”

As Alex states, Richard (and others) toss the term “guessing” around like it’s an insult.  If what Richard means by “guessing” is “estimates made in the absence of perfectly complete and precise data“, then welcome, Richard, to reality.  All measurements in the real world are guesses to some degree.  I assume, however, that what Richard is concerned about is whether the estimates (guesses) are accurate.  The answer to that, of course, is “it depends”.

If someone asks me what the wingspan of a 747 airliner is, and I answer “Ummmm, I dunno.  A hundred feet?“, then maybe we have a problem.  For one thing, I’ve given a relatively precise answer (100 ft), but that answer may not be accurate.  If, however, I answer “Well, the wingspan is almost certain to be less than the length of a football field (300 ft) but greater than the length of my driveway (80 ft)” then I’ve made an estimate that isn’t precise but is much more likely to be accurate.  With a little work, I can probably narrow the range significantly (i.e., get better precision) and still be accurate (especially if I have access to a subject matter expert).  The question of whether it’s precise enough (i.e., is useful) is a matter of what I need to use the information for.  

Business decisions of almost any sort are based on imperfect and imprecise estimates of what might happen.  That’s reality.  As long as decision-makers are aware of and okay with the imprecise nature of the information they’re operating from, then it’s not a problem.  

What people seem to forget is that whether we perform formal analysis on a problem or not, a decision is still going to be made.  The question then becomes, is the decision-maker going to be using conclusions drawn from:

• Someone’s unstructured, undocumented, mental model and the “guesses” they apply to it, or
• A structured model that has been documented, examined, and evolved through use, and “guesses” that have been given due consideration

Either way, some model will be applied and guesses/estimates will be used.  The point of analysis is to give decision-makers better information than they would have had in the absence of analysis.

Bottom line — it seems like Richard has accurately recognized the existence of some of the fundamental challenges in risk analysis, but it feels like he’s drawn some extreme conclusions about their significance and the ability to effectively deal with them.  It could be, of course, that the problem is simply the manner in which he described his conclusions.  Perhaps he’ll respond and clear it all up.

RMI welcomes Jack Freund to the RiskAnalys.is blog…

Once again the 24-hour news cycle is buffeting us with “information” about the new risk that will surely end us all. I’ve received several “breaking news” stories in my email about the pandemic in the last few days. Russia is now taking the step of banning meat from several States and nations (despite it not being transmitted by meat). Clearly, we’re being told this is a serious risk.

Several years ago in a previous life, I participated in an avian flu preparation exercise in my large, telecom manufacturing company. The goal was to determine the extent to which a large-scale pandemic would disrupt business operations, and what kind of controls could be put into place to minimize them. This primarily took the form of a questionnaire that was given to every employee. When it came my turn to fill it out and I got down to the section where I had to decide if I could do my job from home or not, I quickly choose yes. Even if I couldn’t, I thought, I’d be a fool to say so and be forced to come into the office with all those other sick people.

I am certainly unqualified to comment on whether this is or will be the next new plague. However, let’s look at this from the perspective of your own organization and how this might contribute to your risk analyses.

The swine flu will effect most organizations in one direct way, and some other, not-so-direct ways. This is mostly a business continuity risk. If you are following a business continuity management system program (such as BS 25999) you should have identified the parts of your business that are a priority (typical large revenue-generating parts of your business). Remember that in a disruption, cash flow is paramount. Creating a business process map of these parts of your business will help when framing the risk scenarios that will be analyzed by FAIR.

So, what will these risk scenarios look like?

Well, clearly any part of the business that needs people to operate it, or needs people to input something manually has the potential to cause a disruption. This is anything from manufacturing, sales, processing, etc. Any part of your business that depends on people contact (such as retail sales) will also be affected.

What the process map will also tell you is that there are several external dependencies that need to be considered. These are the not-so-direct ways I mentioned above. Namely, reliance upon other businesses (B2B) will be at the mercy of those organizations’ continuity plans (be sure to do your second party audits). Anything from service, support, shipping, and supplies will be disrupted.

The loss magnitude side of the FAIR equation will have the following trajectory. There will be heavy losses on the productivity side of the equation. Clearly, if your people can’t come to work–either because they are too sick, frightened, quarantined, under government order not to leave their homes, or deceased (let’s hope not this one), work doesn’t get done. Response costs will exist, if for no other reason than the activation of your BC plans. Replacement costs are a tricky one for me. The most obvious control would be to have an alternate work facility that isn’t geographically near your primary one. However, this flu has already hit several countries and States. I’d be interested in hearing from you in the comments what you think about this one. For some organizations the answer will be to take the hit. On the secondary loss side, there are some issues. I doubt that there will be litigation (most contracts have a force majeure clause that would be argued). If the impact of the flu is evenly dispersed, then competitive advantage and reputation become less impactful.

The biggest takeaway is that the traditional ways of dealing with this type of outage (work from home and hot/warm/cold sites) may also be effected by the same outage. It’s easy to dismiss this risk as a low frequency high loss event, but that is exactly why FAIR has the unstable risk element. It shouldn’t be written off as crazy end-times talk, but should also be taken with a  grain of salt.

There are many other interesting risk angles in this event. For instance, how the recent memory of the 1918 avian flu goaded then President Ford into calling for nationwide vaccination, how in so doing the pharmaceutical companies had to forgo work in other areas, and how the side effects of the vaccine caused Guillain-Barré syndrome in many. Some believe that the cost to human lives was greater from the vaccine than would have occurred from the flu itself.

As for me, I’ll be stocking up on paper face masks, duct tape, and Pop Tarts. I’ll read your comments from my fortified basement bunker…

Please join me in welcoming Jack Freund as a contributor to this blog.  Jack is a certified FAIR analyst and has a boatload of experience in the information security profession.  Welcome Jack!

One of the questions I commonly encounter is “How do you take something like FAIR and apply it to a big problem, like measuring the aggregate risk within an entire organization?”  In order to keep this post from becoming too long, I’ll focus on the concepts of one approach in this post, and show a simple example in a following post.

Long time no post…  My sincere apologies, and I hope someone out there is still interested.  I guess I needed a little prodding, which Stuart King so kindly provided.  I’ve provided a response on his site, which I won’t repeat in its entirety here.  Suffice it to say that Stuart seems, on occasion, to rant about things he’s not fully informed on.  My friend Chris offers a couple of very good posts in response to Stuart as well.

On to something a bit more useful and, hopefully, interesting.  An acquaintance of mine recently showed me the controls analysis model he and his colleagues had developed.  It was very complex, full of interesting and sophisticated formula, and… weighted variables.  Argh.  I’ll save my comments regarding sophisticated formula for another post.  As for weighting, for those of you who haven’t heard me rant on this before, I’ll summarize:  weighted variables seem to me simply another way of saying “We believe X is more important than Y, but we haven’t taken the time to figure out why or by how much“.  In the absence of a clear underlying explanation for why/how much, I think it would be very difficult to rationally defend any degree of weighting that’s been applied.

Another problem is that weights are, in many cases, dependent on context.  For example, in his model, he had weighted authentication as more important than logging and monitoring.  And intuitively we might think, “Yeah, that seems right”.  But what about the scenario where the threat agent is the privileged insider - the person that legitimately has credentials and access?  In that case, wouldn’t logging and monitoring be more important? 

Bottom line - the concept of weighting is attractive but problematic.  If you’re going to use it, recognize some of the challenges that come with it.  Oh, and let me know if you’ve developed a set of rationale that you use to support the specific weights you’ve applied.

Those of you who are familiar with this blog probably recognize Alex Hutton as THE voice of RMI and FAIR, and for good reason.  For over two years now, Alex has earned a reputation as a spirited and thought-leading blogger who regularly pushed the boundaries of conventional wisdom, seeking to help the industry evolve.  Unfortunately for RMI, Alex has recently chosen to accept a position with Verizon.  To Verizon, I offer my sincere congratulations.  For myself, Alex has represented a marvelous business associate and continues to be a dear friend.  The good news is that Alex still intends to blog about FAIR and risk, and so the industry will continue to benefit from his wisdom and insight (and maybe a little incite), and he’ll still be an advisor to RMI so I’ll continue to have the opportunity to bounce my ideas off him.  Please join me in wishing Alex the best of luck in his new position and adventures.

As for this blog, Alex has expressed an interest in still contributing when possible.  I’ll also contribute more frequently in hopes that we’ll continue to make it worth your while to visit.

I have Five licenses for MicroSolved’s Personal Honeypoint Honeypot product to give away.  I’m using the OSX version right now at a coffee shop.  From what Brent Huston tells me, you can even arm this thing with their “defensive fuzzing” plug-in.  Great opportunity to get some TEF numbers against your laptop!

It’s available for OSX, Linux, and Windows.

First 5 comments leaving me their email address (don’t do it in the comment, just in the form so nobody else sees it) gets a license.

Today’s blog post is a quick catch up post on several fronts.

I LIKE PROFESSIONAL ASSOCIATIONS

First, Chris Hayes, David Mortman and I had the honor of being bought dinner by Mike Dahn.  Mike’s right, he and I are working towards the same goal, he’s just brilliantly practical about PCI and helping people.  To that extent, if you’re not aware already, I wanted to mention that Mike’s working with the Society of Payment Security Professionals.  And I think that’s awesome.

I’ve been known to really enthusiastic with my support for professional associations that focus on specific verticals add a lot of networking value.  Like Kelly Dowell’s CUISPA, As you think about the four landscapes we risk managers need visibility into (Loss Magnitude, Threat, Controls, & Assets) - professional associations can really add value in that there are informative similarities that can be shared when professionals are able to really establish trust relationships.  Let me encourage those of you with PCI concerns to look into The Society of Payment Security Professionals as a means to share information and maybe even gain some representation.   Also, Mike’s a great, very smart guy.

I’M SKEPTICAL ABOUT INCIDENT LOSS VALUES SOMETIMES

The Ponemon study is out.  Check out Adam’s prelim. analysis at EmergentChaos if you haven’t already.

DOCUMENTS FOR THE JERICHO-IZATION OF YOUR NETWORK

Via Crowmore.se:  Onewalldown.com and Cap Gemini have started publishing free .pdf’s on what Jericho networks look like.  Note to Cap Gem:  If you want me to read stuff that is marketing, putting dark text on a colored, semi-opaque background is ok.  If you want me to read a white paper, please make it easier to read.

My aesthetic whining aside, these are good, important documents.  If you haven’t thought about Trust Brokering, and you’re a security architect - you need to start.

PETE LINDSTROM HAS BEEN ON A ROLL

He and I don’t see eye-to-eye on everything, but he’s been posting well if you haven’t been reading them, and his last post on Thinking Strategically About Security Metrics is a starter and worth you’re read.

I like my four landscapes as a source of strategic thinking rather than his four strategic metrics sources - but they’re not at all dissimilar enough to keep us from thinking about how they might relate to each other.

real quick:  It might be worth noting that I wrote this the weekend before Heartland was announced.

So I was reading this excellent article on Taiichi Ohno and the Toyota Production System over at the Gemba weblog and something occurred to me; a potentially good reason for a company to use the PCI DSS as the basis for their ISMS.

Jack Jones has been reworking his essential value propositions of the CISO into the following:

1. Align Risk to Organizational Risk Tolerance
2. Create operational efficiencies

Regular readers will note that #1 there used to be “Reduce Risk” but there’s such a thing as too much risk reduction, so Jack’s updating it. I like the update, it sounds more like “aligning security to business objectives-y”.

Now when most people think about PCI, they think about “Security”. Mostly because they’re security professionals who have hitched their meal-wagon to PCI DSS. So they focus on PCI DSS being something that will help make you secure.  This is obviously nonsense.  There is no “secure”, there is only the reduction of the probable frequency with which you will be breached(1).

But what if there’s another reason to adopt PCI as a basis for your ISMS?

THE 5S’S

Japanese Lean management types talk about something called the “5S’s”. Popularized by Hiroyuki Hirano (but whose origins may come from Ford in the 20’s), the (Americanized version of) 5S’s are designed to eliminate waste in production.  The 5S’s are:

Sort - remove all items from the workplace that are NOT needed for current production.

Set in Order - arranging needed items so that they are easy to find and put away. Items used often are placed closer to employee.

Shine - making sure everything is clean, functioning, and ready to go.

Standardize - the method you use to maintain the first 3S’s.

Sustain - making a habit of properly maintaining correct procedures.

OPTIMIZING PCI-DSS WORKFLOW

Now the idea around the 5S’s is to optimize a manufacturing work space, as that will help reduce operational costs. But take a good look at the last two “S’s”, Standardize and Sustain. They suggest that if you focus on building processes that emphasize these elements - increased operational efficiency will follow.

So could we say that the PCI DSS is allowing us to all Standardize the controls we have in our work place (the network)? We have different vendors and different rigor in implementation, but we are getting the beginnings of a homogenized environment of controls (Monoculture?) that could lead to the development of efficiencies. Moreover, in developing the right procedures and guidelines for sustainability, it will be easy to spot areas for further resource reduction in the resources required to maintain the controls specified by PCI DSS.

(note: this would also apply to any ISMS - as long as a significant sub-cultre/cottage industry arises from it. ISO 27001 might be another example.)

ALEX’S 5S’S FOR ISMS MANAGEMENT

Can we use the 5S’s in how we manage risk? I think so. Here’s something I put together that uses the spirit of the 5S’s from manufacturing and applies it to the CISO role:

SORT/SEGMENT - The idea here is to remove the extraneous so that you can have laser-beam focus on the systems that house the sensitive data itself. That’s segmenting networks (part of PCI DSS), controls that identify and remove (or prevent) critical data from appearing on undesirable systems (like laptops, home systems, or vendor systems).

SET IN ORDER - The Toyota employee has their relevant tools at hand to do the job. In Information Security, we should be making relevant control data accessible and easy to understand (SEIMs and GRC aren’t the only or even best solution here).

SIMPLIFY - Complexity is the enemy of security. Make the flow of sensitive data as simple to manage as possible.

STANDARDIZE - Create the processes and guidelines that allow the security department to operate in a consistent fashion. Everyone should know exactly what their responsibilities are and make transitioning staff easier if/when that happens. In the current state of the industry, we could also apply the “Standardize” concepts to metrics & definitions.

SUSTAIN - Develop the risk management capability metrics and measurements that allow you to understand if you are sustaining your processes, and to what level they are sustained (and then ideally, how that level of sustained process impacts your exposure to risk).

Many of these are common sense, but the best suggested practices I’ve seen are short on discussing why they should be effective (in either an inductive or deductive manner).  This at least gives us a basis or even something as silly as a “mantra” to match these regulatory pressures to.

Finally, these aren’t a real replacement for what I believe is the most effective way to run a security department; an inductive, measured approach based on risk.  But if you are forced to construct solutions based on an architecture for security management that is less than optimal, these concepts might just help you master the ISMS, rather than the other way around.

======================

(1)And we’re starting to see that we can expect at least one or two of the companies that have PCI pressures (regardless of “compliance” state of nature) being breached in any given year (roughly).

This is somewhat of a follow up from my post on changing our attitude towards how we might best protect consumers that use credit cards.

In FAIR, there are three types of contact that drive the probable frequency of attacks:

• Random - The attacker stumbles across some treasure
• Regular - The attacker is in regular contact with an asset and finds a state for the probability of action (value, level of effort, risk of getting  caught)  that compels them to attack
• Intentional - The attacker is actively seeking to cause harm.

But those factors that drive frequency are only one half of the things that enable a threat to act against us.  Those other factors are those that drive the Probability of Action:

• Level of Effort - Does the attacker believe they have the skills and resources to carry out an attack?
• Value - Does the attacker believe it is worth their effort to attack?
• Risk - Does the attacker believe that the probability of getting caught, and the impact of getting caught are low enough to attack?

Here’s a nice visual aid:

SECURITY, OBSCURITY, OBFUSCATION

When people argue about security through obscurity, the crux of their argument is that obfuscation is generally ineffective against a determined attacker (1).  I think we can explain why using FAIR because the probability of action is high and the contact is intentional (in other words, they are motivated).

WHAT DOES THIS HAVE TO DO WITH PCI DSS?

I’m going to state that PCI DSS is not necessarily concerned with Detection and Response.  Once an organization that processes credit cards has been unable to prevent, you’re in some sort of trouble with somebody.  This is because PCI DSS is philisophically about preventing illicit access to credit card numbers.  As such, I think we can call it security through obscurity on a grand, grand scale. The controls we put in place and the compliance dances we perform with QSA’s are primarily(2) designed to show how “secure” we are, that is; our ability to prevent loss events.

IF PCI DSS IS SECURITY THROUGH OBSCURITY, THEN…

I’ll allow you to draw your own conclusions about its viability.  But before you do, let me offer this;  With retailers, banks, and processors all being involved, we might say that PCI DSS is the first significant attempt to secure a semi-private cloud.

======================

(1)  I think we could offer that obscurity, as a means of resistance, does have some value against random and regular types of contact.

(2) Sure there are detect and respond aspects to the DSS, but it is not clear how they help mitigate the actions of the most significant of secondary threat communities, the PCI itself.