Wednesday, April 7, 2010

Likelihood == Fear

Many risk analysis methodologies, especially those promoting the "fools errand" of quantifying (IT) risks rely on some sort of calculation driven by estimating or knowing the likelihood that some risk will be realized.

We start with a Single Loss Expectancy, defined as the monetary loss in a classical quantitative methodology or the severity of loss in a qualitative methodology.

Then use either the 'likelihood' or in technical terms the Annualized Rate of Occurrence, defined as the probability that the event will happen in a given year.

These values are used to divine derive the Annual Loss Expectancy.

So the formula is:

ALE = SLE * ARO

Which is more honestly illustrated (within IT risk analysis) as follows:


Click on image for larger view.

None of the risk analysis frameworks out there describe a realistic way of determining any of these values in any real way, its just dowsing for the 21st Century.

What likelihood essentially means then to the practitioners of this sort of black-art, is How afraid are you that a given bad thing will happen?

I personally believe that there are much better methods to measure that fear.  We can, I suggest, measure that fear in a much more consistent manner.  Start by looking at these entities related to IT risk analysis and you can begin to see how:



image attributions:
http://en.wikipedia.org/wiki/File:Harrows_Bristle_Board_Bullseye.JPG
http://en.wikipedia.org/wiki/File:Wilber%27s_BBQ_-_Pig_vane.jpg
http://en.wikipedia.org/wiki/File:18th_century_dowser.jpg

Monday, April 5, 2010

NIST 800-53 Version 3 Control Catalog

Created with a python script that parsed the information from the XML output of the NIST's Filemaker based DB application. I hate the way NIST breaks out the controls with the enhancements and such. This is not useful directly from slideshare, but download it if you need the controls in a 'normalized' format for import into db or automated system.

Introduction to Pragmatic Risk Analysis Part 1

Sunday, April 4, 2010

The ABC's of Security Evaluation

Asset-Based Control Assessment
Here is an introductory presentation on the concept of Asset-Based Control Assessments.  The most effective and efficient security evaluation method.


Purpose of Risk Analysis

Risk analysis in the IT security space is often misunderstood.  Many, if not most, security professionals do not really understand the concept and have no real idea how to apply it in their jobs.  This is not necessarily a bad thing, as much of what is done in the name of 'risk analysis' is simply wasted effort.  However, for those organizations that must conduct risk assessments to pacify regulators or show appropriate due-diligence, a little clarity is required.

There are three basic methods that can be used to evaluate the security of an organization:
  1. Compliance Assessments
    • Are the controls that are prescribed to prevent unauthorized disclosure,  modification, and  interruption in-place?
  2. Vulnerability Assessments
    • Are the controls that are in-place working properly to prevent unauthorized disclosure,   modification, and interruption?
  3. Risk Assessments
    • What controls are required to appropriately prevent unauthorized disclosure, modification, and interruption?
Many organizations understand method 2, but often confuse methods 1 and 3.

What is a risk?
The best definition I have ever heard is "A risk is the potential for something bad to happen."
However, many organizations conduct a "risk assessment" simply by comparing the controls in-place to a list of prescribed controls and label every gap as a risk.  The use of an analogy is helpful in explaining the disconnect with this.

Car Insurance Analogy
Is the lack of car insurance a risk?  According to the definition above, clearly not.  Getting your car wrecked is an example of a bad thing that can happen (an Event), and there is clearly some potential for this with every car owned in the world.  However, not having car insurance simply increases the impact of the Event. There are many other Conditions that contribute to the impact of the Event, e.g. price of car, availability of repair parts, responsibility of damage, extent of damage, etc...  There are also Conditions that contribute to the likelihood of the Event, e.g. number of miles driven, frequency of driving, road congestion, road conditions, etc...

Evaluating the potential of a car wreck must involve analysis of (at least some of) these Conditions.

Most US States prescribe minimum coverages for car insurance, here are the minimums for vehicle liability in Illinois:
  • $20,000 - injury or death of one person in an accident
  • $40,000 - injury or death of more than one person in an accident
  • $15,000 - damage to property of another person
A compliance assessment can be used to easily determine whether or not the insurance in-place meets the requirements.  It will not, however, tell us whether or not the insurance in-place is appropriate given the Conditions identified. Obviously, these minimums do not cover damage to the insured vehicle itself and the appropriateness of that coverage amount is directly tied to the value of the vehicle.