Friday, December 05, 2008

Risk metrics should drive security, without dictating it

How precise do risk measures need to be in order to be of value to an organization? Is it necessary to calculate an annual loss expectancy (ALE) for each type of information security risk in order to justify security decisions? For better or worse, most organizations have settled on a security budget that is a fraction of the overall IT budget, which in mature companies remains a steady proportion of annual revenue.

Given the challenge of putting together credible loss numbers across the range of identified threats against the organization, it doesn’t make much sense to try to optimize budgets purely against a risk forecast. Instead, security is best treated as a constraint in decisions to optimize revenue, operating costs, profit or other key measures. Protection for critical assets needs to cross an “adequacy” threshold. Conversely, when changes stress or stretch protection capabilities to the point of exposing critical assets to threats, the information security function begins raising the case for change.

So if risk management is more about being on the right side of a threshold, as is literally specified in the EU Privacy Directive / US Safe Harbor guidance, then precision is not nearly as important as confidence. Polling organizations such as Gallup provide a margin of error of 2% because the difference between winning and losing a contest is often very close. But in contrast, safety and security based decisions i.e. “we need to act, now” can become clear with margins of 10-15% or more. As an example, if the brakes on the family minivan squeak and start slipping, its time to get them replaced.

With the help of a few reasonable, simplifying assumptions, it is possible to make trustworthy risk-based decisions based on just two critical metrics: security control coverage, and information asset exposure.

These assumptions are as follows:
1. The impact of security incidents are best characterized in financial terms, i.e. information security incidents have the potential to affect current and/or future costs, and current and/or future sales. (Health and safety critical environments are an exception that should be treated differently.)
2. The value that IT security provides to an organization comes from decreasing the frequency and severity of security incidents by:
a. Preventing incidents from occurring whenever possible
b. Detecting relevant events where and when they occur, and mobilizing an effective response to minimize the damage and restore normal operation as quickly as possible.
3. Security control coverage is a leading indicator of risk to information systems, business processes and data.

Based on these assumptions, two key metrics for decision makers can persuasively frame the security “threshold” decision without requiring an unreasonable level of precision:
1. Information asset exposure: a measure of the relative contribution of that asset to the current and future revenue of the organization.
2. Security control coverage: a measure of the number and type of industry best practice recommendations implemented independently as layers of protection on each asset and process owned or used by the organization to serve its customers and stakeholders.

As an example, consider a company with $120 million in annual sales, $150 million in assets, 500 employees, tens of thousands of current and former customers, Market capitalization of $110 million, and an operating margin of about 18%. Based on these estimates, here’s a quick back-of-the-envelope estimate of the scale involved in information protection decisions:

$120 million in annual sales works out to about $330,000 per day or between $10,000 and $25,000 per hour. So to this company, the loss of several hours of downtime from a key system or systems, plus incident handling costs and lost worker time, etc. can run between $150,000 to $200,000.

According to a 2006 report from the Association of Certified Fraud Examiners, the median fraud loss for asset misappropriation (skimming, payroll fraud or fraudulent invoicing) is $150,000.

Forrester estimates that a privacy breach cost between $90 and $305 per record to address; the Ponemon Institute provides a similar number. Based on those estimates, losing personal information on 5,000 customers would result in costs of between $500,000 and $1,000,000.

Asset exposure, described as a fraction of revenue, is a linear function: the longer the downtime, or more records exposed, the higher the cost. But as described in an earlier post, security is not linear. In a population of systems connected by trust relationships, a failure in server A will lead to a compromise of server B, C, D and on down the line.

Earlier this year, Verizon published a Data Breach Investigation Report based on follow-up on over 500 cases in a four year period. While there’s much to take away from the results, two measures stand out in terms of shaping risk decisions: 85% of identified breaches were the result of opportunistic attacks, and 87% were considered avoidable through reasonable controls. That is; security control coverage provides a strong leading indicator as to the likelihood of experiencing a security breach.

So, given an operating margin of 18% (roughly average for the S&P 500) it could take $5 to $6 of additional revenue to make up for each dollar lost due to a security incident.

Against these measures, determining levels of acceptable risk becomes a much more straightforward exercise without the need for precise risk forecasting. Instead, it becomes a question of risk tolerance: will the extensions to the customer-facing systems generate enough new revenue to justify exposure to some of the scenarios listed above?

Metrics can frame the issues, but ultimately the business has to drive it.

Sunday, October 26, 2008

Can you afford bad security?

Within the current economic turmoil and uncertainty its becoming clear that the global economy is slowing, pressuring organizations of all sizes to compete more intensely for revenue while taking an even harder look at reigning in costs. These concerns cascade through the overall project portfolio to IT and security in the form of two very basic questions: What do we need? What can we afford?

In a company fighting for its survival, talking to management about improvements in information security may seem as relevant as changing the locks on a burning building. Naturally, fire is an immediate threat to an asset and its contents, but over a longer time horizon so is the risk of theft … or foreclosure.

Bottom line, some organizations can afford bad security. Others can’t. In some situations, immediate survival concerns will temporarily trump long term protection goals. But as the market meltdown in the United States in 2008 is showing us, it is just as plausible to see that relaxing key control requirements for short term profitability puts entire companies, and even markets, at risk.

The only way to get this right is to view security in light of the survival needs of the firm, and measure it to the same standard of every other investment. In the past, information security hasn’t been held to this standard, mostly due to measurement challenges. Hopefully, for the good of the profession as well as the entities we protect, those days are over and we can take up the challenge of proving our value more accurately and more persuasively than we have in the past.

“What the CEO wants you to know”
In 2001 Ram Charan wrote a gem of a book called “What the CEO Wants You to Know,” distilling business acumen into the effective management of five core measures of business health: cash, margin, velocity, growth and customers. Charan: “Cash generation is the difference between all the cash that flows into the business and all the cash that flows out of the business in a given time period …it is a company’s oxygen supply” pp.30-31

Margin is the difference between the price and cost of goods sold, while velocity is the rate at which those goods are sold. Growth includes expansion (more sales) and extension (new markets) while the Customers category represents how well the organization responds and aligns with market demands.

Naturally, some of these needs can become tactical and immediate while others are more strategic in nature. But all must be functioning effectively for a company to succeed, and any threat to these measures ultimately threatens the health of the company.

“What the CISO wants you to know”
If the five factors above represent the keys to a successful business, then good security is important to a company only to the extent that it affects those factors. If there’s no impact on customers, growth, etc. then there’s no value to security. Or, as your CFO probably read in school:

“A potential project creates value for the firm’s shareholders if and only if the net present value of the incremental cash flows from the project is positive.” [Brigham and Ehrhardt, Financial Management: Theory and Practice, 11th Edition, p.389]

Security issues expressed in terms of cash, margin, velocity, growth and customers, and measured in terms of net impact to the company have the best chance of resonating with decision makers.

Gordon and Loeb propose a three dimensional Cybersecurity cost grid as a tool for building that business case. The authors suggest failures of confidentiality, integrity and availability are to be analyzed in terms of direct and indirect costs, as well as explicit and implicit costs.

For me, the distinction between indirect and implicit didn’t seem as compelling as the difference between a net positive or negative effect on security, so I started segmenting the effect of security across Charan’s five categories this way:

Of course, measuring it is the real trick. But there are quite a few resources available to help with that...

Wednesday, July 30, 2008

Developing an information security strategy using attack graphs

In medium and large organizations, the process of developing and implementing an Information Security Management System (ISMS) as specified in ISO 27001 can take substantial time and resources. But for many organizations, a long-term slow developing program may not be practical.

In this setting it’s important to focus on making existing security data actionable, rather than spending weeks or months generating the information needed to prioritize enterprise risks.

Typically attack graphs aren't used in this context; they’re more often applied as a theoretical threat modeling tool. But because they show relationships between assets, exposures, vulnerabilities and expected threats, they’re perfect for the sort of forced ranking prioritization that a low-overhead ISMS requires.

So what is an attack graph, and how is it useful?

In a nutshell, an attack graph is a map of information assets, infrastructure, applications and systems connected by exploitable vulnerabilities. An attacker who wants to gain access to an information asset will seek the lowest “cost” path through the environment, where cost is measurable in terms of time, effort, or risk of detection or prosecution.

Some vendor tools automate the mapping of network assets, vulnerabilities and exposures between all systems on a network. But the end result is typically a graph with hundreds of systems and thousands of connections – even for relatively small networks.

This generates an enormous amount of data, which must then be reduced to a critical, actionable set. It also tends to bias the analyses towards technical vulnerabilities – while for an insider threat the process and compliance gaps may be more significant.

Instead, the illustration below shows an abstracted attack graph that represents nodes as populations of vulnerable systems, instead of each individual system:

A distinction between nodes is only necessary to the extent that it represents a trade-off from the perspective of the network security manager, and influences the potential effectiveness of an attacker.

This view approaches the environment from a threat perspective. An attacker external to the organization who is going after the customer database doesn’t need to compromise multiple end user devices; just one of them. Once inside the network, they can then use that system to target the database directly (query via user account) or indirectly (compromise the server hosting the database application.)

If each node represents an accountable system owner, or platform manager, and each line between nodes represents an exploitable exposure, the overall view provides a very straightforward model to represent trade-offs that each team can use to determine critical “upstream” and “downstream” exposures. Risk acceptance or mitigation decisions here are as much driven by context as they are by vulnerability ratings – which is exactly the point; a risk should be acceptable to an organization only if the impacted downstream teams are not exposed as a result. The owner of a vulnerable system should not be allowed to accept a risk in isolation on the basis that such a system “doesn’t contain anything important.”

Without much coaching, even to non-technical business managers a few principles and conclusions should quickly become apparent:
Perimeter security matters. Putting an enforced, monitored boundary between the attacker and the assets to be protected improves security.
Defense in depth matters. To the extent that an attacker must compromise several systems without being detected, it greatly reduces their chance of success. For example; assume a 50% chance of success for each of the following three attacks: first to compromise an end user device, then a trusted server in the data center, and finally security measures on the system hosting the database. The probability of success is 0.5 * 0.5 * 0.5 = 12.5%
Least-privilege access matters. Any steps an organization can take to “break” the connections between systems in an environment will improve security by giving an attacker fewer paths to reach a critical asset.
Linear investments in security won't produce linear results. Patching 8 out of 10 servers doesn’t make a company 80% secure. If an attacker can scan for the two vulnerable systems without a high risk of being detected, the cost of attacking the environment hasn’t increased. The asset remains as vulnerable as if only 1 or 2 servers were patched.

Once the planning process has prioritized the key risks, it may be time to graduate to a more formal, more granular view of the network. There are a number of open source and proprietary approaches to visualizing an entire environment and driving remediation down to each specific configuration vulnerability. But if you’ve won over management with a high level model that allows them to participate in the process and drive decision making, the hard part is done.

Tuesday, July 08, 2008

Risk Management: accept, transfer, avoid, mitigate risk ... or none of the above?

When dealing with information security risks, typically the range of available options are to accept the risk, transfer it, avoid it, or mitigate it by implementing security controls. But these aren't the only options, and in some circumstances there's actually a better choice: transform the risk.

A certain large pharmaceutical organization--which I will not specifically mention--for years manufactured an over-the-counter decongestant which contained an ingredient that criminals discovered could be used to illegally produce methamphetamine. The social and public health impacts of this misuse were so significant that it presented a risk that the company needed to address.

For this particular risk it would harm patients to abandon the product, and it wasn't feasible to transfer or mitigate the risks directly. So instead, the company took a different route: it made the product unusable to criminals by changing the active ingredient and was still able to offer it over the counter to its customers.

From an information security perspective, the same principle applies: risk to an information asset is determined by the seriousness of impact and the likelihood of that impact occuring. And likelihood in turn is driven by the value of that asset to the threats which are targeting it. So any organization that can reduce the value of its assets to attackers, without lowering the value to its customers, can also reduce its risks.

Some examples:

  • De-identification of Protected Health Information (PHI) as per the HIPAA Privacy Rule.
  • Identity Theft. In countries where national IDs aren't used as an all-purpose identifier, rates of identity theft are much lower than in the United States.

Sunday, June 29, 2008


If you’ve ever seen rec-level youth soccer led by volunteer coaches I’m sure you’re familiar with this scene: a knot of kids surrounding the ball in a swarm, kicking furiously with parents cheering on. Eventually one or both of the coaches shouts “spread out!!” Usually it’s at the same moment that the ball escapes the swarm, spurring a mad dash to form a new swarm…

After a few years of this, as a youth coach I finally promised myself I’d never use that phrase again. Besides the fact that it never works, there are a couple of other issues with it:

  • It’s an instruction without accountability: no player can accomplish it on her own.

  • You can do exactly what is asked without having any impact on helping your team win. In fact, during one of my games it went the other way -- I’ve seen our defense part like the red sea and open shooting lanes for the other team. Ouch!

  • Instead, I prefer a different phrase that’s just as short and to the point:


    Sure, it’s still an instruction delivered to the whole team, but it enables accountability in a positive sense. You can identify and praise the kids who do it, and follow up with those that didn’t hear/understand what to do. And when kids recognize and respond, it helps the team get more shots and who knows … even score on occasion. As an added bonus I started counting the number of passes made by the team during each quarter. (Hawthorne was right … measurement motivates!)

    Connecting this back to information security, the key takeaway is that it’s possible even with distributed virtual teams to develop a capacity to adjust to unforeseen obstacles without building in excessive communication and coordination overhead. But efficient teams aren’t necessarily the result of teams with a high level of security domain knowledge (CISSP, GIAC, etc.) Sure, those skills are as critical as the soccer equivalent of dribbling and shooting -- but good things really start to happen when security processes collectively orient themselves around meaningful measures.

    Clear goals – decomposed into individually achievable contributions – measured with simple, easy to gather data - and reported internally / externally to both team members and stakeholders are the key to preventing knots and swarms.

    Saturday, February 02, 2008

    Information Security Requires Changing Minds

    It is a well documented fact that for most organizations, compliance with information security policies is a largely voluntary activity. The only way to consistently advance security is through the active support of the groups that the security organization is responsible to protect.

    Everyone recognizes the need for "buy-in," but few articulate where to get it, and more importantly, how to sustain it. This is what makes Howard Gardner's book, Changing Minds, so essential for policy, governance and security practitioners. Many authors have taken on aspects of this subject, from How to Win Friends and Influence People [Carnegie] to Execution: The Discipline of Getting Things Done, [Bossidy and Charan]. But typically, they look at the techniques of successful change instead of the fundamental elements these techniques address. Bossidy and Charan argue "You cannot have an execution culture without robust dialogue...robust dialogue starts when people go in with open minds...[and]...ends with closure...people agree about what each person has to do and when." [pp.102-103] If you start with an open minded group, good for you. But what if they're not open minded, and they don't report to you?

    Gardner, who is a psychologist - not a CEO or CSO, doesn't presuppose a particular starting point. Instead, he identifies the contents of the mind, the forms that this content can take, the levers which influence mind change, and the differences across various types of audiences where this change occurs.

    As an example, several years ago I had a role that depended on a strong working partnership with a department that was in the process of being eliminated from the company. This team had a number of operational responsibilities that made it a likely target for attempts to access sensitive company information, and seemed highly vulnerable due to morale and turnover issues. Thankfully, the team had exceptional management and was highly professional, and was willing to look at its role beyond the soon to be ending tasks. Through a combination of education about the threats, specific training to combat likely forms of attack, and a modest reward system for successfully responding to suspicious events, I supported the process of helping the group change the view of its role in the company, add new skills, and make a significant impact during a critical transition period.

    At the time I wasn't really aware of all of the "moving parts" that made that story a success. But Changing Minds provides the tools for analyzing, and (hopefully) duplicating such outcomes. In this situation the team represented a relatively uniform population with a common set of concepts and skills, but with a rather discouraging story, i.e. "our group is about to be phased out." Through a combination of reason and research with a new story that resonated, supported with training and rewards, the low resistance of the group was overcome and the team executed their new skills very effectively.

    Gardner identifies six audiences for mind changing, four categories of mental "content," nine forms this content can take, and seven levers that affect the outcome.

    Starting with the audiences, ranging from addressing a nation to just one individual, or even oneself, Changing Minds gives a rich set of case studies for each:
    1. Leading a Diverse Population. Changing the minds of a nation, examined through the experience of Margaret Thatcher.
    2. Leading an Institution. Gardner looks at James O. Freedman's experience at Dartmouth. A reading of "Building Block Two: Creating the Framework for Cultural Change" in Execution provides intriguing parallels in a corporate context.
    3. Changing minds indirectly. The role of science, scholarship and the arts.
    4. Mind changing in a formal setting. This goes beyond the one-way transfer of information and assumes an interactive process of discovery and response: "consider...entrenched views...and the ways in which these views might profitably be reformulated..." [p. 145]
    5. Mind changing up close. One on one.
    6. Changing One's Own Mind.

    Changing Minds lists four specific categories of content that is the focus of change efforts: concepts, stories, theories and skills.

    Concepts are the most elementary building block; for information security, defense in depth, principle of least privilege, and “need-to-know” would represent fundamental concepts.

    Stories are another fundamental category. Thatcher’s story was straightforward, easy to understand and resonated with her audience of the time: “Britain has lost its way.” When discussing levers of change, stories and their “counter-stories” form a critical battleground where change agents directly engage resistances.

    Theories represent relatively formal explanations of processes; X causes Y. They can be based on facts, true or false assumptions, and personal or educational experiences. Again, in the security realm, theories could include the view that: ‘most successful attackers are: insiders / outsiders … most attacks are purely technical / involve some degree of social engineering…’

    The last category of content is skills. Skills are made up of the practices of which an individual is capable. Gardner argues that when a practitioner fundamentally changes their approach to a task, this represents a significant change in mind.

    He further points out that while all minds share similar types of content, this content can differ significantly in form. Drawing on the theory of multiple intelligences, these forms are described as either object-based or symbol based, with a key takeaway being that people differ in their ability and willingness to absorb content based on its form of presentation.

    Mind changing is most effective when resistances are low, and the other six levers, each beginning with re-, work in concert. They are: reason, research, resonance, representational redescriptions, real world events, resources & rewards.

    Research provides the "proof" that the current concepts, stories or theories are outdated and need to be replaced, while reason presents this information via logical arguments. Along with real world events, these levers affect the "potency" of a leader's message. But its not just the potency that counts -- its also how well that message is absorbed by its audience.

    Resonance describes the persuasiveness of the new story, theory or concept. Ideas which resonate “feel right” to the recipient. Finding and applying the resonance can be challenging, however, as it involves not only the content of the message, but also its timing, and how well it harmonizes with the existing perspective of the audience and the persona of the messenger. On this last point Gardner contrasts Bill Clinton's talent for getting in tune with his audience to neutralize opposition, while Newt Gingrich seemed to consistently stimulate it.

    And while a leader may be working with a single message, that message best resonates when it is offered and considered in many different forms through a variety of representational redescriptions. At times these redescriptions are provided by the leader, but in other cases a leader can provide resources to their audience, along with rewards and incentives for the group to develop and "try out" the idea on their own.

    These levers work positively to bring about a change, but they must overcome resistances. These resistances are characterized as the "counter-story;” existing representations which a leader hopes to convince their audience to supplant. Resistances must be met with resonating integrity, in an ethical approach. “One can – and must – go through an exercise of deep and pervasive mental surgery with respect to every entrenched view: define it, understand the reasons for its provenance, point out its weaknesses, and then develop multiple ways of undermining that view and bolstering a more constructive one. In other words, search for the resonance, and stamp out the resistance.” [p.145]

    Affecting an organization requires reason, and resonance – but having the right story is only the starting point. Meaningful change takes time. “New ideas do not travel easily, and it is hard for them to take hold. Because we cannot know in advance which formats will prove effective in communicating a new message, we are well advised to use several alternative formats…We need to monitor the words and actions of a leader’s constituents to glean how ideas have been translated and internalized…until we ‘get it right’--or at least until the next change in context challenges current representations and calls for yet another take on the situation at hand.” [p.102]

    In conclusion, it may seem discouragingly difficult to effect change. But rather than seeking for the perfect message, or the perfect presentation, it may be better to for a leader to engage an audience--resistances and all--early and often, and find many ways to bring those ideas forward. It may also help to give an audience the tools needed to rework that message into a variety of forms and find the ones that fit. The more active a leader is on this front, the more likely that they'll be ready to capitalize on real world events as they unfold.