Results tagged “risk”

"Two things are infinite: the universe and human stupidity; and I'm not sure about the universe." -Albert Einstein

The subtitle for this piece could easily be "a whole lotta stupid goin' on." Is it something about summertime, or have we really gotten to a place in our civilization where we just can't progress any farther? It really seems like regression is the only option to which most people will avail themselves today. Attack the science, attack that which isn't understood, and let's just rely on supposition (or, so it seems).

I've been mulling this piece over for more than a week now as all the drama has played out in Congress around building up a better "cyberwar" capability (as if that's something well-defined and understood). At the same time there has been an up-tick in mindless rhetoric railing against risk assessment, analysis, and management. Quite frankly, it all belies woeful ignorance and a wanton disregard for the sane. In both cases we see people making wild claims about things they clearly do not understand. Risk management is more than qualitative risk assessment, and "cyberwar" is a delusion perpetrated by those who desire to FUD us into ceding yet more power to the Executive Branch.

There has been a lot of negative, cynical chatter lately about risk assessment and risk management. The average person doesn't understand it, and people who should understand it oftentimes throw up their hands in despair when citing examples such as the failures of Wall Street that led to the current economic mess. Unfortunately, all of this despair and cynicism seeks to throw out the baby with the bath water, as if to say that one bad apple spoils an entire orchard.

To me, I think the biggest challenges to risk management today lie in a few key areas: accountability, consequences, and formalized assessment methods. The first two areas are easy to explain. If you're doing a good job assessing and managing risk, then you can start holding people accountable for their decisions and actions. That accountability should then lead to consequences (positive or negative). Unfortunately, we live in an era where we fear failure, and thus pad ourselves, our families, our investments, and our country against suffering negative consequences. Without negative consequences, what is the point of managing risk?

I am getting really tired of listening to whining without posited solutions. Not only has the security subset of the blogosphere dried up over the last few months, but the whining seems to be increasing. Compliance has been the whipping boy du jour for most of the year, but risk assessment also appears to be back up for a beating this month. I think the worst part of it all is that the criticisms I've read typically lack the proper background research, or they end up being about other issues rather than being an attack on risk assessment itself.

There are several points that I want to discuss around these topics. First, from a regulatory perspective, we're still closer to living in the land of common law than we are to modern governed society. There are limits to how effective that can be. Second, we need to make sure that we focus our energies on valuating the right things. There's a lot of churn about how certain words or concepts aren't estimable or have no intrinsic value, but it's a red herring argument. Lastly, and perhaps more importantly, we need to realize that the reason we are where we are today in infosec is because of a disconnect because actions and consequences. We now know that this must change.

Hopefully few of you wasted time reading my rant Tuesday on possibility, probability, and an analyst who really got my goat. Today, instead of ranting I wanted to revisit this whole "possibility is not probability" notion, and particularly its relationship to risk and risk management. The main goal here is to put a stake in these semantic games once and for all and make some very clear points. We'll see how I do...

The problem with the overly simplified "possibility is not probability" line of argument, in a risk management context, is that it doesn't speak to key attributes of risk. At it's most fundamental, "risk" is a matter not just of the threat or vulnerability, but also of the likelihood it will be exposed, the likelihood it will be attacked, and the overall impact should it come to fruition. When we talk about risk, we have to consider all of these factors as they apply to our specific environment. You cannot take any one attribute and jump to a risk assessment generalization that applies equally to every situation or environment.

"You keep using that word. I do not think it means what you think it means." -Inigo Montoya in The Princess Bride

In the past couple months I've come to hate the word "risk" and its associated phrase "risk management." It's not because risk itself is inherently bad or wrong, or that the need for good, quality risk management has changed. Rather, it's the overuse and misuse of the term that is really grating on me. Despite a lot more talk about risk, it seems that it's even less understood and even more poorly defined than ever before.

Perhaps the most egregious "risk" annoyance is its constant use as a FUD hammer for pushing products or agendas. It seems that every time we turn around, somebody is proclaiming that something is a HIGH RISK (bold, all caps, exclamation, exclamation, exclamation, omg we're all gonna die!). Unless, of course, we buy their product or support their agenda.

A couple weeks ago I attempted to provide a new analogy for how much of risk assessment seems to be performed these days (see "Dowsing Your Way Through Enterprise Risk"). That post received a lot of comments, but it seems to have missed the mark completely. Looking back now, it's a poorly written post that lacked clarity of point and purpose. So, allow me to recast the article in a different light.

I let myself get caught up in a pointless twitwar yesterday, during which I took much abuse from my proponent for basically disagreeing with the assertion that you can just walk into an organization and "know" what is and is not important without doing some degree of assessment. His later point is that you don't need to do a "full" assessment, which is correct and not my point.

My point, quite simply was this: dowsing (or "divining") is no way to assess or manage enterprise risk. Dowsing is the ancient mystical practice of using a dowsing rod to find water hidden underground. To this day, well water is a very important commodity. In olden dayes, technology did not exist for finding sources, and so divining came into practice. Using the divining rod (or dowsing rod), a skilled individual could walk around an area, feeling mild tremors through the rod. The skilled individual would then move around until these tremors were maximized and the rod pointed down to the source of water.

In many ways, risk assessment today is exactly like dowsing. We walk into organizations with some mystical methodology that assesses pseudo-risk and then we act is if we've done something that is in fact truly legitimate and well-founded. The problem, of course, is one of repeatability. The INOFSEC Assurance Methodology (IAM) tries to specifically address this concern by setting up the System Criticality Matrix, but there are potential weaknesses in this approach. Similarly, FAIR leverages Bayes for providing reasonable modeling in the absence of real data. [6/4: correction - Bayes requires data, just provides model based on knowledge-state instead of nature-state]

Both cases are challenged, however, and at best "science" in the way of the "social sciences" (or so-called "soft" sciences). The problem, quite simply, is that there is no reliable way (today, anyway) to quantify a qualitative value. As such, we're stuck with gut instinct in assessing risk ratings, challenged in trying to come up with a consistent, reliable, and accurate method. If the method cannot withstand rigor, then it's not particularly sound or scientific.

This problem is one that is being actively researched. Notable figures like Alex Hutton (formerly of RMI and currently of Verizon Business) talk about this frequently; that enterprise risk management is a broken field that lacks scientific rigor. In my mind, this is spot on, and fully analogous to the state of the security industry. Gunnar Peterson, I think, captures this perfectly in his comment that "Its too bad but assumptions of yesteryear lead to building things on shaky foundations." His notable chart tells the story:

Similar to the lack of innovation and growth in infosec, where the world still revolves around firewalls and SSL, so does risk management revolve around pseudo-quantitative risk assessment that is based on qualitative assessments of varying degrees of reliability that are then converted to numbers, or otherwise averaged out. Dowsing risk in the enterprise is no way to live, and a good way to get completely off-track. Let's hope the future reveals a better way to exist.

My friend Wade recently posted his thoughts on how to go about building a security team. For the most part, I found his comments to be spot-on, with one major, glaring exception. At the end of his post, he starts talking about getting into planning and measurements once you have your team in place, overlooking one major area: risk management.

Now, in his defense, Wade's objective was sharing his thoughts on how to build a good security team, starting with a good security manager who actually understands things. You cannot simply put a well-connected talking head in place and expect them to be successful managing security without the necessary technical know-how to grok what is going on. That being said, choosing who to hire and when to hire them, as well as making decisions about what technologies to leverage within your security team, must be based on sound risk management principles.

When I'm talking about "risk management" here, I'm really talking from a high level, and I'm including risk assessment and measurement as part of the equation. Plain and simple, if you're charged with building a security team and managing security objectives, one of your top challenges will be prioritization of work and resources. With security, it's very easy to let oneself slip into semi-anarchic ways where you are quickly overwhelmed that all that needs to be done. In order to keep the tigers at bay you need to make use of sound decision-making practices that prioritize your workload on a few criteria.

Ever since I took Systems Engineering I in my masters program at GW, I've viewed information security and risk management a little differently. In fact, as I've matured over the years, I've come to view the field(s) through multiple lenses, and continue to seek out new perspectives. From Systems Engineering, I learned to view risk as a systematic problem that required fault tolerance and that needed to balance the cost of solutions against the effective reduction of loss potential. This approach is also very compatible with the "risk resiliency" approach that my current employer is favoring in their marketing pitch, and something that I've naturally latched onto as being similar to my style of communication around risk management.

To that end, I had an opportunity to meet with Dr. Vernon Grose of the Omega Systems Group this week. His organization has been providing systematic risk management services for a few decades. In particular, his methodology has a couple key components that I found to be particularly interesting. First, Omega advocates a top-down workshop approach to initiating risk assessment as a lead-in to making risk management decisions. This workshop has some similarities to the NSA IAM/IEM approach, but differs by focusing on the executive/strategic level, making use of scenarios for planning. Second, Dr. Grose brings to bear a systems engineering approach to risk management wherein all scenarios are evaluated against a minimum of 3 countermeasures, looking uniquely at the costs of reducing or eliminating the losses associated with a given risk scenario based on a refined ranking approach.

I'm happy to announce my first publication (included below). It's for my employer, so probably not a huge deal to anybody reading this, but for me it's a nice milestone. It's in the May 2008 edition of Initiatives, titled "Evolving Risk Resilience." Risk resilience is our new theme within security consulting. Since you cannot eliminate risk, you instead need to become resilient to it (sounds like a very British term - we used to call it risk tolerance, I believe, but whatever).