Monthly Archives: August 2007

Count ‘Em All By Hand

I admire Matt Blaze, and I only hope he was being sarcastic in the entire post in which, after pointing out that California just decertified three major voting machine manufacturors due to massive security problems, he wrote:

How to build secure systems out of insecure components is a tough problem in general, but of huge practical importance here, since we can’t exactly stop holding elections until the technology is ready.
— The best defense: Ad hominem security engineering. Matt Blaze, Exhaustive Search, 6 August 2007

Well, yes, yes we can. Continue reading →

Metricon: Puzzle vs. Mystery

Here at Metricon 2.0, many interesting talks, as expected.

For example, Russell Cameron Thomas of Meritology mentioned the difference between puzzle thinking (looking only under the light you know) and mystery thinking (shining a light into unknown areas to see what else is out there). Seems to me most of traditional security is puzzle thinking. Other speakers and questioners said things in other talks like "that’s a business question that we can’t control" (literally throwing up hands); we can only measure where "we can intervene"; "we don’t have enough information" to form an opinion, etc. That’s all puzzle thinking.

Which is unfortunate, given that measuring only what you know makes measurements hard to relate to business needs, hard to apply to new, previously unknown problems, and very hard to use to deal with problems you cannot fix.

Let me hasten to add that Thomas’s talk, entitled "Security Meta Metrics—Measuring Agility, Learning, and Unintended Consequence", went beyond these puzzle difficulties and into mysteries such as uncertainty and mitigation.

Not only that, but his approach of an inner operational loop (puzzle) tuned by an outer research loop (mystery) is strongly reminiscent of John R. Boyd’s OODA loop. Thomas does not appear to have been aware of Boyd, which maybe is evidence that by reinventing much the same process description Thomas has validated that Boyd was onto something.

-jsq

ROI v. NPV v. Risk Management

There’s been some comment discussion in about security ROI. Ken Belva’s point is that you can have a security ROI, to which I have agreed (twice). Iang says he’s already addressed this topic, in a blog entry in which he points out that

Calculating ROI is wrong, it should be NPV. If you are not using NPV then you’re out of court, because so much of security investment is future-oriented.
— ROI: security people counting with fingers? Iang, Financial Cryptography, July 20, 2007

Iang’s entry also says that we can’t even really do Net Present Value (NPV) because we have no way to calculate or predict actual costs with any accuracy. He also says that security people need to learn about business, which I’ve also been harping on. I bet if many security people knew what NPV was, they’d be claiming they had it as much as they’re claiming they have ROI. Continue reading →

Flying Risk

Airport risk management:

It was while waiting to board a transatlantic flight from Heathrow last month, having been asked to show my papers at least six times more than one ever used to be, that a hopeless fantasy took root in my mind. As my handbag was overturned, I recalled reading recently that globally there were an estimated 27m scheduled flights a year. A little further along, as my 120ml bottle of contact lens cleaner was confiscated, I thought how few of them had met a hideous fate at the hands of terrorists. And as I later removed my shoes, recalling that the sole apparent justification for this was that one complete halfwit had failed to set fire to his trainers some years ago, I realised that I was willing to play these odds.
— I’d risk flying with terrorists to escape this airport hell, Marina Hyde, The Guardian, 4 August 2007

But did anybody ask her (or us)? Continue reading →

Security ROI: Possible, but Not the Main Point

Many people have ~~argued about~~ wondered whether information security can have a computed Return on Investment (ROI). The man who co-wrote the book on ROI, Managing Cybersecurity Resources: A Cost-Benefit Analysis says yes, it’s possible, but in general, “maximizing the ROI (or IRR [real economic rate of return]) is, in general, not an appropriate economic objective.” What, then?

Rather than trying to derive the ROI of security investments, a much better strategy is to work on the related issues of deriving an optimal (or at least desirable) level of information security investments and the best way to allocate such investments. This strategy is the focus of the Gordon-Loeb Model (for a brief summary of the focus of this model, and a link to the actual paper, go to: (http://www.rhsmith.umd.edu/faculty/lgordon/Gordon%20Loeb%20Model%20cybersecurity.htm
— Email from Dr. Lawrence Gordon: Security ROI possible but not optimal, use other metrics, Posted by Kenneth F. Belva, bloginfosec.com, 18 July 2007

Belva reads the recommended paper and finds it to say:

The Gordon-Loeb Model also shows that, for a given level of potential loss, the optimal amount to spend to protect an information set does not always increase with increases in the information set’s vulnerability. In other words, organizations may derive a higher return on their security activities by investing in cyber/information security activities that are directed at improving the security of information sets with a medium level of vulnerability.

From which Belva concludes that “we do understand Information Security to have a return.” Well, yes. Continue reading →

Perilocity

Beyond Internet security to risk management