Tastes Great vs Less Filling: Deconstructing Risk

Management (A Practical Approach Towards Decision Making)

Michael DahnChaordicMind.com

Thursday, April 29, 2010

Who am I?

Thursday, April 29, 2010

Which side are you on?• « Risk Management is Dead …

Long Live Risk Management » 

Tastes Great!

Less Filling!

Thursday, April 29, 2010

Pete Lindstrom

« We have already solved the problem of Risk Management over 200 times, the problem is that we don’t know which one is right. »

Thursday, April 29, 2010

Question Group 1Question Answe

rWhat year was George Washington born?

?

How many countries are in South America?

?

How many calories in a In-n-Out Double-Double burger?

?

What year was Diet Coke invented?

?

How many elements are in the periodic table?

?

Thursday, April 29, 2010

Variance?

• Upper bound• Lower bound• Range (Upper – Lower)• Standard deviation

Thursday, April 29, 2010

Question Group 1Question Answe

rWhat year was George Washington born?

1732

How many countries are in South America?

13

How many calories in a In-n-Out Double-Double burger?

670

What year was Diet Coke invented?

1982

How many elements are in the periodic table?

102

Thursday, April 29, 2010

Question Group 2Question Answe

rHow many languages are available on Flickr.com?

?

How many breach incidents were reported by DatalossDB in 01/10?

?

When did Arnold Palmer first win the PGA Masters Tournament?

?

How many minutes do Facebook users spend on the site / month?

?

How many contributors to the Encyclopedia Britannica in 2008?

?

Thursday, April 29, 2010

Variance?

• Upper bound• Lower bound• Range (Upper – Lower)• Standard deviation

Thursday, April 29, 2010

Question Group 2Question Answe

rHow many languages are available on Flickr.com?

8

How many breach incidents were reported by DatalossDB in 01/10?

35

When did Arnold Palmer first win the PGA Masters Tournament?

1958

How many minutes do Facebook users spend on the site / month?

500b

How many contributors to the Encyclopedia Britannica in 2008?

4,411

Thursday, April 29, 2010

Question Group 3Question Answe

rWhat percentage of all malicious code will be executed in 2012?

?

How many bugs are there in Windows Vista?

?

What is the chance a Wikipedia article will contain an error?

?

How long will it take for an average computer to be p0wned in 2015?

?

What is the air speed velocity…

?Thursday, April 29, 2010

Unknown-Unknowns

• Known Knowns (KK)– People in this room now

• Unknown Knowns (UK)– Population of the earth

• Known Unknowns (KU)– The day I will die

• Unknown Unknowns (UU)– Which risk management is

right for you…Thursday, April 29, 2010

To Know“kennen” vs “wissen” « kennen »  :: to know a fact– KK, UK, KU, UU

« wissen » :: to know a concept– KK, UK, KU, UU

Thursday, April 29, 2010

Concepts vs Domains « Concepts »

– an abstract or generic idea generalized from particular instances

« Domain »– a sphere of knowledge,

influence, or activity

Domains contain Concepts

Thursday, April 29, 2010

Adam Shostack

« What the industry needs it more data in order to form proper conclusions »

Thursday, April 29, 2010

I got your “more data”!

Thursday, April 29, 2010

Donn Parker

Due to the unknown-unknown number of data breaches, any data set we collect may be too small to statistically analyze data.

« Risk-based security is impossible »« Dilligance-based security is what we need »

Frequent-ism

Thursday, April 29, 2010

Parker-nomics• Risk based approaches are

nothing more than data alchemy

• There is simply not enough public data available to make any sort of statistically significant conclusion when you assume that the entire population of data breaches or security failures (realistically unknown) is vastly larger

Thursday, April 29, 2010

Rogue Device Detection(Sampling?)

Example

Thursday, April 29, 2010

Diligence-based Model• Diligence to avoid negligence• Compliance to meet or exceed

requirements of regulations, laws, and standards to avoid penalties

• Enablement to meet business and budget needs

« generally agreed upon best practices »

https://www.issa.org/Library/Journals/2008/January/Parker-A%20Diligence-Based%20Idealized%20Security%20Review.pdf

Thursday, April 29, 2010

Alex Hutton

Probability is a probable term…« Governance without metrics and

models, is superstitian  »« Governance with metrics and models ,

describes capability to manage risk »

Bayesian-ism

Thursday, April 29, 2010

Hutton-nomics• Risk management: Time to

blow it up and start over?• Evidence-based risk

management– Deconstructed, notional view

of risk• Metrics based management,

governance, and risk– Failure if lack of data

Thursday, April 29, 2010

Managing Risk

« Managing risk means aligning the capabilities of the organization, and the exposure of the organization with the tolerance of the data owners »

- Jack Jones

Thursday, April 29, 2010

Managing Risk

« Risk management may be hard (or even impossible)…… but we all manage risk »

- Me

Thursday, April 29, 2010

Spheres of Expertise

You don’t know everything« We > You »

Practitioners don’t know everything « Experts > Practitioners »

Next up… « Reputational weighted value »

Success = more detailed info, per domain

Thursday, April 29, 2010

Thursday, April 29, 2010

Thursday, April 29, 2010

Domains of Knowledge Expertise

Thursday, April 29, 2010

Sounds simple? Nope« Education, education,

education »

« Flexibility of Domains »

« More data (per domain) for risk modeling »

Thursday, April 29, 2010

Conclusion

« Seek first to understand and then to be understood »

« Holistic information security »« Intra-connectedness of domains drive

value of (risk) data »

Thursday, April 29, 2010