Just as there are two sides to every coin, there are two schools of thought in risk management. One camp believes that there is never enough data to make statistically significant risk decisions, due to the unknown-unknowns and never really knowing the entire population of data breaches. Another camp believes that we have well detailed information about specific domains and using Bayesian math we can come to conclusions on how to manage risk. Regardless of the group or believe in risk management the fact is that we all manage risk. This session will discuss the two camps and propose a hybrid model that goes beyond technical details into the core of trusted knowledge relationships.
Tastes Great vs Less Filling: Deconstructing Risk Management (A Practical Approach Towards Decision Making)
1. Tastes Great vs Less Filling:
Deconstructing Risk
Management
(A Practical Approach Towards Decision Making)
Michael Dahn
ChaordicMind.com
Thursday, April 29, 2010
3. Which side are you on?
• « Risk Management is Dead …
Long Live Risk Management »
Tastes Less
Great! Filling!
Thursday, April 29, 2010
4. Pete Lindstrom
« We have already solved the problem of
Risk Management over 200 times, the
problem is that we don’t know which
one is right. »
Thursday, April 29, 2010
5. Question Group 1
Question Answe
r
What year was George ?
Washington born?
How many countries are in ?
South America?
How many calories in a In- ?
n-Out Double-Double
burger? was Diet Coke
What year ?
invented?
How many elements are in ?
the periodic table?
Thursday, April 29, 2010
6. Variance?
• Upper bound
• Lower bound
• Range (Upper – Lower)
• Standard deviation
Thursday, April 29, 2010
7. Question Group 1
Question Answe
r
What year was George 1732
Washington born?
How many countries are in 13
South America?
How many calories in a In- 670
n-Out Double-Double
burger? was Diet Coke
What year 1982
invented?
How many elements are in 102
the periodic table?
Thursday, April 29, 2010
8. Question Group 2
Question Answe
r
How many languages are ?
available on Flickr.com?
How many breach incidents ?
were reported by
DatalossDB in 01/10?
When did Arnold Palmer first ?
win the PGA Masters
Tournament?
How many minutes do ?
Facebook users spend on
the site / month?
How many contributors to ?
the Encyclopedia Britannica
Thursday, April 29, 2010
in 2008?
9. Variance?
• Upper bound
• Lower bound
• Range (Upper – Lower)
• Standard deviation
Thursday, April 29, 2010
10. Question Group 2
Question Answe
r
How many languages are 8
available on Flickr.com?
How many breach incidents 35
were reported by
DatalossDB in 01/10?
When did Arnold Palmer first 1958
win the PGA Masters
Tournament?
How many minutes do 500b
Facebook users spend on
the site / month?
How many contributors to 4,411
the Encyclopedia Britannica
Thursday, April 29, 2010
in 2008?
11. Question Group 3
Question Answe
What percentage of all r
?
malicious code will be
executed in 2012? there in
How many bugs are ?
Windows Vista?
What is the chance a ?
Wikipedia article will contain
an error? will it take for an
How long ?
average computer to be
p0wned in 2015?
What is the air speed ?
Thursday, April 29, 2010
velocity…
12. Unknown-Unknowns
• Known Knowns (KK)
– People in this room now
• Unknown Knowns (UK)
– Population of the earth
• Known Unknowns (KU)
– The day I will die
• Unknown Unknowns (UU)
– Which risk management is
right for you…
Thursday, April 29, 2010
13. To Know
“kennen” vs “wissen”
« kennen »
:: to know a fact
– KK, UK, KU, UU
« wissen »
:: to know a
concept
– KK, UK, KU, UU
Thursday, April 29, 2010
14. Concepts vs Domains
« Concepts »
– an abstract or generic idea
generalized from particular
instances
« Domain »
– a sphere of knowledge,
influence, or activity
Domains contain
Concepts
Thursday, April 29, 2010
15. Adam Shostack
« What the industry needs it more data
in order to form proper conclusions »
Thursday, April 29, 2010
16. I got your “more data”!
Thursday, April 29, 2010
17. Donn Parker
Frequent-ism
Due to the unknown-unknown number of data
breaches, any data set we collect may be too small
to statistically analyze data.
« Risk-based security is impossible »
« Dilligance-based security is what we need »
Thursday, April 29, 2010
18. Parker-nomics
• Risk based approaches are
nothing more than data
alchemy
• There is simply not enough
public data available to make
any sort of statistically
significant conclusion when
you assume that the entire
population of data breaches or
security failures (realistically
unknown) is vastly larger
Thursday, April 29, 2010
19. Example
Rogue Device Detection
(Sampling?)
Thursday, April 29, 2010
20. Diligence-based Model
• Diligence to avoid negligence
• Compliance to meet or exceed
requirements of regulations, laws, and
standards to avoid penalties
• Enablement to meet business and
budget needs
« generally agreed upon best practices »
https://www.issa.org/Library/Journals/2008/January/Parker-A%20Diligence-Based%20Idealized%20Security%20Review.pdf
Thursday, April 29, 2010
21. Alex Hutton
Bayesian-ism
Probability is a probable term…
« Governance without metrics and
models, is superstitian »
« Governance with metrics and models ,
describes capability to manage risk »
Thursday, April 29, 2010
22. Hutton-nomics
• Risk management: Time to
blow it up and start over?
• Evidence-based risk
management
– Deconstructed, notional view
of risk
• Metrics based management,
governance, and risk
– Failure if lack of data
Thursday, April 29, 2010
23. Managing Risk
« Managing risk means
aligning the capabilities of
the organization, and the
exposure of the
organization with the
tolerance of the data
owners »
- Jack Jones
Thursday, April 29, 2010
24. Managing Risk
« Risk management may be
hard (or even impossible)…
… but we all manage risk »
- Me
Thursday, April 29, 2010
25. Spheres of Expertise
You don’t know everything
« We > You »
Practitioners don’t know everything
« Experts > Practitioners »
Next up…
« Reputational weighted value »
Success = more detailed info, per
domain
Thursday, April 29, 2010
29. Sounds simple? Nope
« Education, education,
education »
« Flexibility of Domains »
« More data (per domain) for
risk modeling »
Thursday, April 29, 2010
30. Conclusion
« Seek first to understand and then to
be understood »
« Holistic information security »
« Intra-connectedness of domains drive
value of (risk) data »
Thursday, April 29, 2010