SlideShare una empresa de Scribd logo

Tastes Great vs Less Filling: Deconstructing Risk Management (A Practical Approach Towards Decision Making)

Security B-Sides
Security B-Sides

Just as there are two sides to every coin, there are two schools of thought in risk management. One camp believes that there is never enough data to make statistically significant risk decisions, due to the unknown-unknowns and never really knowing the entire population of data breaches. Another camp believes that we have well detailed information about specific domains and using Bayesian math we can come to conclusions on how to manage risk. Regardless of the group or believe in risk management the fact is that we all manage risk. This session will discuss the two camps and propose a hybrid model that goes beyond technical details into the core of trusted knowledge relationships.

1 de 30
Descargar para leer sin conexión
Tastes Great vs Less Filling: Deconstructing Risk Management (A Practical Approach Towards Decision Making) Michael Dahn ChaordicMind.com Thursday, April 29, 2010
Who am I? Thursday, April 29, 2010
Which side are you on? • « Risk Management is Dead … Long Live Risk Management »  Tastes Less Great! Filling! Thursday, April 29, 2010
Pete Lindstrom « We have already solved the problem of Risk Management over 200 times, the problem is that we don’t know which one is right. » Thursday, April 29, 2010
Question Group 1 Question Answe r What year was George ? Washington born? How many countries are in ? South America? How many calories in a In- ? n-Out Double-Double burger?  was Diet Coke What year ? invented? How many elements are in ? the periodic table? Thursday, April 29, 2010
Variance? • Upper bound • Lower bound • Range (Upper – Lower) • Standard deviation Thursday, April 29, 2010
Question Group 1 Question Answe r What year was George 1732 Washington born? How many countries are in 13 South America? How many calories in a In- 670 n-Out Double-Double burger?  was Diet Coke What year 1982 invented? How many elements are in 102 the periodic table? Thursday, April 29, 2010
Question Group 2 Question Answe r How many languages are ? available on Flickr.com? How many breach incidents ? were reported by DatalossDB in 01/10? When did Arnold Palmer first ? win the PGA Masters Tournament? How many minutes do ? Facebook users spend on the site / month? How many contributors to ? the Encyclopedia Britannica Thursday, April 29, 2010 in 2008?
Variance? • Upper bound • Lower bound • Range (Upper – Lower) • Standard deviation Thursday, April 29, 2010
Question Group 2 Question Answe r How many languages are 8 available on Flickr.com? How many breach incidents 35 were reported by DatalossDB in 01/10? When did Arnold Palmer first 1958 win the PGA Masters Tournament? How many minutes do 500b Facebook users spend on the site / month? How many contributors to 4,411 the Encyclopedia Britannica Thursday, April 29, 2010 in 2008?
Question Group 3 Question Answe What percentage of all r ? malicious code will be executed in 2012? there in How many bugs are ? Windows Vista? What is the chance a ? Wikipedia article will contain an error? will it take for an How long ? average computer to be p0wned in 2015? What is the air speed ? Thursday, April 29, 2010 velocity…
Unknown-Unknowns • Known Knowns (KK) – People in this room now • Unknown Knowns (UK) – Population of the earth • Known Unknowns (KU) – The day I will die • Unknown Unknowns (UU) – Which risk management is right for you… Thursday, April 29, 2010
To Know “kennen” vs “wissen” « kennen »  :: to know a fact – KK, UK, KU, UU « wissen » :: to know a concept – KK, UK, KU, UU Thursday, April 29, 2010
Concepts vs Domains « Concepts » – an abstract or generic idea generalized from particular instances « Domain » – a sphere of knowledge, influence, or activity Domains contain Concepts Thursday, April 29, 2010
Adam Shostack « What the industry needs it more data in order to form proper conclusions » Thursday, April 29, 2010
I got your “more data”! Thursday, April 29, 2010
Donn Parker Frequent-ism Due to the unknown-unknown number of data breaches, any data set we collect may be too small to statistically analyze data. « Risk-based security is impossible » « Dilligance-based security is what we need » Thursday, April 29, 2010
Parker-nomics • Risk based approaches are nothing more than data alchemy • There is simply not enough public data available to make any sort of statistically significant conclusion when you assume that the entire population of data breaches or security failures (realistically unknown) is vastly larger Thursday, April 29, 2010
Example Rogue Device Detection (Sampling?) Thursday, April 29, 2010
Diligence-based Model • Diligence to avoid negligence • Compliance to meet or exceed requirements of regulations, laws, and standards to avoid penalties • Enablement to meet business and budget needs « generally agreed upon best practices » https://www.issa.org/Library/Journals/2008/January/Parker-A%20Diligence-Based%20Idealized%20Security%20Review.pdf Thursday, April 29, 2010
Alex Hutton Bayesian-ism Probability is a probable term… « Governance without metrics and models, is superstitian  » « Governance with metrics and models , describes capability to manage risk » Thursday, April 29, 2010
Hutton-nomics • Risk management: Time to blow it up and start over? • Evidence-based risk management – Deconstructed, notional view of risk • Metrics based management, governance, and risk – Failure if lack of data Thursday, April 29, 2010
Managing Risk « Managing risk means aligning the capabilities of the organization, and the exposure of the organization with the tolerance of the data owners » - Jack Jones Thursday, April 29, 2010
Managing Risk « Risk management may be hard (or even impossible)… … but we all manage risk » - Me Thursday, April 29, 2010
Spheres of Expertise You don’t know everything « We > You » Practitioners don’t know everything « Experts > Practitioners » Next up… « Reputational weighted value » Success = more detailed info, per domain Thursday, April 29, 2010
Thursday, April 29, 2010
Thursday, April 29, 2010
Domains of Knowledge Expertise Thursday, April 29, 2010
Sounds simple? Nope « Education, education, education » « Flexibility of Domains » « More data (per domain) for risk modeling » Thursday, April 29, 2010
Conclusion « Seek first to understand and then to be understood » « Holistic information security » « Intra-connectedness of domains drive value of (risk) data » Thursday, April 29, 2010

Recomendados

2010 07 BSidesLV Mobilizing The PCI Resistance 1c
2010 07 BSidesLV Mobilizing The PCI Resistance 1c 2010 07 BSidesLV Mobilizing The PCI Resistance 1c
2010 07 BSidesLV Mobilizing The PCI Resistance 1c Security B-Sides
 
The road to hell v0.6
The road to hell v0.6The road to hell v0.6
The road to hell v0.6Security B-Sides
 
Lord of the bing b-sides atl
Lord of the bing b-sides atlLord of the bing b-sides atl
Lord of the bing b-sides atlSecurity B-Sides
 
Enterprise Portals - Gateway to the Gold
Enterprise Portals - Gateway to the GoldEnterprise Portals - Gateway to the Gold
Enterprise Portals - Gateway to the GoldSecurity B-Sides
 
Gmail 업무기술과 Google Apps 소개 - 1강
Gmail 업무기술과 Google Apps 소개 - 1강Gmail 업무기술과 Google Apps 소개 - 1강
Gmail 업무기술과 Google Apps 소개 - 1강HwanJin 'David' Choi
 
Layer 2 Hackery
Layer 2 HackeryLayer 2 Hackery
Layer 2 HackerySecurity B-Sides
 
Projectriskmanagement pmbok5
Projectriskmanagement pmbok5Projectriskmanagement pmbok5
Projectriskmanagement pmbok5Dhamo daran
 
Pmi dec 13
Pmi dec 13Pmi dec 13
Pmi dec 13Vijay Raj
 

Recomendados

2010 07 BSidesLV Mobilizing The PCI Resistance 1c
2010 07 BSidesLV Mobilizing The PCI Resistance 1c 2010 07 BSidesLV Mobilizing The PCI Resistance 1c
2010 07 BSidesLV Mobilizing The PCI Resistance 1c Security B-Sides
 
The road to hell v0.6
The road to hell v0.6The road to hell v0.6
The road to hell v0.6Security B-Sides
 
Lord of the bing b-sides atl
Lord of the bing b-sides atlLord of the bing b-sides atl
Lord of the bing b-sides atlSecurity B-Sides
 
Enterprise Portals - Gateway to the Gold
Enterprise Portals - Gateway to the GoldEnterprise Portals - Gateway to the Gold
Enterprise Portals - Gateway to the GoldSecurity B-Sides
 
Gmail 업무기술과 Google Apps 소개 - 1강
Gmail 업무기술과 Google Apps 소개 - 1강Gmail 업무기술과 Google Apps 소개 - 1강
Gmail 업무기술과 Google Apps 소개 - 1강HwanJin 'David' Choi
 
Layer 2 Hackery
Layer 2 HackeryLayer 2 Hackery
Layer 2 HackerySecurity B-Sides
 
Projectriskmanagement pmbok5
Projectriskmanagement pmbok5Projectriskmanagement pmbok5
Projectriskmanagement pmbok5Dhamo daran
 
Pmi dec 13
Pmi dec 13Pmi dec 13
Pmi dec 13Vijay Raj
 
Your Reality Is Augmented
Your Reality Is AugmentedYour Reality Is Augmented
Your Reality Is AugmentedBenjamin Joffe
 
Your Reality Is Augmented
Your Reality Is AugmentedYour Reality Is Augmented
Your Reality Is AugmentedBenjamin Joffe
 
Global Awareness
Global AwarenessGlobal Awareness
Global AwarenessAndrew Kohl
 
Social Media Evolution - Revolution - So What?
Social Media Evolution - Revolution - So What?Social Media Evolution - Revolution - So What?
Social Media Evolution - Revolution - So What?Tommi Pelkonen
 
Tsunammis of Change
Tsunammis of ChangeTsunammis of Change
Tsunammis of ChangeGomindSHIFT
 
Disarmament & nuclear weapons
Disarmament & nuclear weaponsDisarmament & nuclear weapons
Disarmament & nuclear weaponsyvettefraga
 
Podcasting 101 1/2 - March 1, 2010
Podcasting 101 1/2 - March 1, 2010Podcasting 101 1/2 - March 1, 2010
Podcasting 101 1/2 - March 1, 2010SFEley
 
Weird Sisters Essays
Weird Sisters EssaysWeird Sisters Essays
Weird Sisters EssaysJanet Katarezzy
 
Notacon 7 - Hacking The Future Weaponizing The Next Generation
Notacon 7 - Hacking The Future Weaponizing The Next GenerationNotacon 7 - Hacking The Future Weaponizing The Next Generation
Notacon 7 - Hacking The Future Weaponizing The Next GenerationJames Arlen
 
Lecture 2011.01: General Introduction and Open Access (Digital Sustainability)
Lecture 2011.01: General Introduction and Open Access (Digital Sustainability)Lecture 2011.01: General Introduction and Open Access (Digital Sustainability)
Lecture 2011.01: General Introduction and Open Access (Digital Sustainability)Marcus Dapp
 
Mark Headd's Presentation at Emerging Communication Conference & Awards 2010 ...
Mark Headd's Presentation at Emerging Communication Conference & Awards 2010 ...Mark Headd's Presentation at Emerging Communication Conference & Awards 2010 ...
Mark Headd's Presentation at Emerging Communication Conference & Awards 2010 ...eCommConf
 
Alterian Summit Social Media Analysis via Intrepid
Alterian Summit Social Media Analysis via IntrepidAlterian Summit Social Media Analysis via Intrepid
Alterian Summit Social Media Analysis via IntrepidAlterian
 
Social Penetration - Mike Murray and Mike Bailey
Social Penetration - Mike Murray and Mike BaileySocial Penetration - Mike Murray and Mike Bailey
Social Penetration - Mike Murray and Mike BaileySecurity B-Sides
 
How really to prepare for a credit card compromise (PCI) forensics investigat...
How really to prepare for a credit card compromise (PCI) forensics investigat...How really to prepare for a credit card compromise (PCI) forensics investigat...
How really to prepare for a credit card compromise (PCI) forensics investigat...Security B-Sides
 
Risk Management - Time to blow it up and start over? - Alex Hutton
Risk Management - Time to blow it up and start over? - Alex HuttonRisk Management - Time to blow it up and start over? - Alex Hutton
Risk Management - Time to blow it up and start over? - Alex HuttonSecurity B-Sides
 
Security? Who cares! - Brett Hardin
Security? Who cares! - Brett HardinSecurity? Who cares! - Brett Hardin
Security? Who cares! - Brett HardinSecurity B-Sides
 
Advanced Persistent Threats (Shining the Light on the Industries' Best Kept S...
Advanced Persistent Threats (Shining the Light on the Industries' Best Kept S...Advanced Persistent Threats (Shining the Light on the Industries' Best Kept S...
Advanced Persistent Threats (Shining the Light on the Industries' Best Kept S...Security B-Sides
 
Computing Risk without Numbers: A Semantic Approach to Risk Metrics - Tim Ke...
Computing Risk without Numbers: A Semantic Approach to Risk Metrics - Tim Ke...Computing Risk without Numbers: A Semantic Approach to Risk Metrics - Tim Ke...
Computing Risk without Numbers: A Semantic Approach to Risk Metrics - Tim Ke...Security B-Sides
 
The Great Compliance Debate: No Child Left Behind or The Polio Vaccine
The Great Compliance Debate: No Child Left Behind or The Polio VaccineThe Great Compliance Debate: No Child Left Behind or The Polio Vaccine
The Great Compliance Debate: No Child Left Behind or The Polio VaccineSecurity B-Sides
 
Dominique Karg - Advanced Attack Detection using OpenSource tools
Dominique Karg - Advanced Attack Detection using OpenSource toolsDominique Karg - Advanced Attack Detection using OpenSource tools
Dominique Karg - Advanced Attack Detection using OpenSource toolsSecurity B-Sides
 
2009 Zacon Haroon Meer
2009 Zacon Haroon Meer2009 Zacon Haroon Meer
2009 Zacon Haroon MeerSecurity B-Sides
 
From fishing to phishing to ?
From fishing to phishing to ?From fishing to phishing to ?
From fishing to phishing to ?Security B-Sides
 

Más contenido relacionado

Similar a Tastes Great vs Less Filling: Deconstructing Risk Management (A Practical Approach Towards Decision Making)

Your Reality Is Augmented
Your Reality Is AugmentedYour Reality Is Augmented
Your Reality Is AugmentedBenjamin Joffe
 
Your Reality Is Augmented
Your Reality Is AugmentedYour Reality Is Augmented
Your Reality Is AugmentedBenjamin Joffe
 
Global Awareness
Global AwarenessGlobal Awareness
Global AwarenessAndrew Kohl
 
Social Media Evolution - Revolution - So What?
Social Media Evolution - Revolution - So What?Social Media Evolution - Revolution - So What?
Social Media Evolution - Revolution - So What?Tommi Pelkonen
 
Tsunammis of Change
Tsunammis of ChangeTsunammis of Change
Tsunammis of ChangeGomindSHIFT
 
Disarmament & nuclear weapons
Disarmament & nuclear weaponsDisarmament & nuclear weapons
Disarmament & nuclear weaponsyvettefraga
 
Podcasting 101 1/2 - March 1, 2010
Podcasting 101 1/2 - March 1, 2010Podcasting 101 1/2 - March 1, 2010
Podcasting 101 1/2 - March 1, 2010SFEley
 
Notacon 7 - Hacking The Future Weaponizing The Next Generation
Notacon 7 - Hacking The Future Weaponizing The Next GenerationNotacon 7 - Hacking The Future Weaponizing The Next Generation
Notacon 7 - Hacking The Future Weaponizing The Next GenerationJames Arlen
 
Lecture 2011.01: General Introduction and Open Access (Digital Sustainability)
Lecture 2011.01: General Introduction and Open Access (Digital Sustainability)Lecture 2011.01: General Introduction and Open Access (Digital Sustainability)
Lecture 2011.01: General Introduction and Open Access (Digital Sustainability)Marcus Dapp
 
Mark Headd's Presentation at Emerging Communication Conference & Awards 2010 ...
Mark Headd's Presentation at Emerging Communication Conference & Awards 2010 ...Mark Headd's Presentation at Emerging Communication Conference & Awards 2010 ...
Mark Headd's Presentation at Emerging Communication Conference & Awards 2010 ...eCommConf
 
Alterian Summit Social Media Analysis via Intrepid
Alterian Summit Social Media Analysis via IntrepidAlterian Summit Social Media Analysis via Intrepid
Alterian Summit Social Media Analysis via IntrepidAlterian
 

Similar a Tastes Great vs Less Filling: Deconstructing Risk Management (A Practical Approach Towards Decision Making) (12)

Your Reality Is Augmented
Your Reality Is AugmentedYour Reality Is Augmented
Your Reality Is Augmented
 
Your Reality Is Augmented
Your Reality Is AugmentedYour Reality Is Augmented
Your Reality Is Augmented
 
Global Awareness
Global AwarenessGlobal Awareness
Global Awareness
 
Social Media Evolution - Revolution - So What?
Social Media Evolution - Revolution - So What?Social Media Evolution - Revolution - So What?
Social Media Evolution - Revolution - So What?
 
Tsunammis of Change
Tsunammis of ChangeTsunammis of Change
Tsunammis of Change
 
Disarmament & nuclear weapons
Disarmament & nuclear weaponsDisarmament & nuclear weapons
Disarmament & nuclear weapons
 
Podcasting 101 1/2 - March 1, 2010
Podcasting 101 1/2 - March 1, 2010Podcasting 101 1/2 - March 1, 2010
Podcasting 101 1/2 - March 1, 2010
 
Weird Sisters Essays
Weird Sisters EssaysWeird Sisters Essays
Weird Sisters Essays
 
Notacon 7 - Hacking The Future Weaponizing The Next Generation
Notacon 7 - Hacking The Future Weaponizing The Next GenerationNotacon 7 - Hacking The Future Weaponizing The Next Generation
Notacon 7 - Hacking The Future Weaponizing The Next Generation
 
Lecture 2011.01: General Introduction and Open Access (Digital Sustainability)
Lecture 2011.01: General Introduction and Open Access (Digital Sustainability)Lecture 2011.01: General Introduction and Open Access (Digital Sustainability)
Lecture 2011.01: General Introduction and Open Access (Digital Sustainability)
 
Mark Headd's Presentation at Emerging Communication Conference & Awards 2010 ...
Mark Headd's Presentation at Emerging Communication Conference & Awards 2010 ...Mark Headd's Presentation at Emerging Communication Conference & Awards 2010 ...
Mark Headd's Presentation at Emerging Communication Conference & Awards 2010 ...
 
Alterian Summit Social Media Analysis via Intrepid
Alterian Summit Social Media Analysis via IntrepidAlterian Summit Social Media Analysis via Intrepid
Alterian Summit Social Media Analysis via Intrepid
 

Más de Security B-Sides

Social Penetration - Mike Murray and Mike Bailey
Social Penetration - Mike Murray and Mike BaileySocial Penetration - Mike Murray and Mike Bailey
Social Penetration - Mike Murray and Mike BaileySecurity B-Sides
 
How really to prepare for a credit card compromise (PCI) forensics investigat...
How really to prepare for a credit card compromise (PCI) forensics investigat...How really to prepare for a credit card compromise (PCI) forensics investigat...
How really to prepare for a credit card compromise (PCI) forensics investigat...Security B-Sides
 
Risk Management - Time to blow it up and start over? - Alex Hutton
Risk Management - Time to blow it up and start over? - Alex HuttonRisk Management - Time to blow it up and start over? - Alex Hutton
Risk Management - Time to blow it up and start over? - Alex HuttonSecurity B-Sides
 
Security? Who cares! - Brett Hardin
Security? Who cares! - Brett HardinSecurity? Who cares! - Brett Hardin
Security? Who cares! - Brett HardinSecurity B-Sides
 
Advanced Persistent Threats (Shining the Light on the Industries' Best Kept S...
Advanced Persistent Threats (Shining the Light on the Industries' Best Kept S...Advanced Persistent Threats (Shining the Light on the Industries' Best Kept S...
Advanced Persistent Threats (Shining the Light on the Industries' Best Kept S...Security B-Sides
 
Computing Risk without Numbers: A Semantic Approach to Risk Metrics - Tim Ke...
Computing Risk without Numbers: A Semantic Approach to Risk Metrics - Tim Ke...Computing Risk without Numbers: A Semantic Approach to Risk Metrics - Tim Ke...
Computing Risk without Numbers: A Semantic Approach to Risk Metrics - Tim Ke...Security B-Sides
 
The Great Compliance Debate: No Child Left Behind or The Polio Vaccine
The Great Compliance Debate: No Child Left Behind or The Polio VaccineThe Great Compliance Debate: No Child Left Behind or The Polio Vaccine
The Great Compliance Debate: No Child Left Behind or The Polio VaccineSecurity B-Sides
 
Dominique Karg - Advanced Attack Detection using OpenSource tools
Dominique Karg - Advanced Attack Detection using OpenSource toolsDominique Karg - Advanced Attack Detection using OpenSource tools
Dominique Karg - Advanced Attack Detection using OpenSource toolsSecurity B-Sides
 
From fishing to phishing to ?
From fishing to phishing to ?From fishing to phishing to ?
From fishing to phishing to ?Security B-Sides
 
Getting punched in the face
Getting punched in the faceGetting punched in the face
Getting punched in the faceSecurity B-Sides
 
Smashing the stats for fun (and profit)
Smashing the stats for fun (and profit)Smashing the stats for fun (and profit)
Smashing the stats for fun (and profit)Security B-Sides
 
Efficient extraction of data using binary search and ordering information
Efficient extraction of data using binary search and ordering informationEfficient extraction of data using binary search and ordering information
Efficient extraction of data using binary search and ordering informationSecurity B-Sides
 
Community-oriented Computer Security Incident Response Teams (C-CSIRTS)
Community-oriented Computer Security Incident Response Teams (C-CSIRTS)Community-oriented Computer Security Incident Response Teams (C-CSIRTS)
Community-oriented Computer Security Incident Response Teams (C-CSIRTS)Security B-Sides
 
Vulnerability Management Scoring Systems
Vulnerability Management Scoring SystemsVulnerability Management Scoring Systems
Vulnerability Management Scoring SystemsSecurity B-Sides
 
A future security landscape
A future security landscapeA future security landscape
A future security landscapeSecurity B-Sides
 

Más de Security B-Sides (20)

Social Penetration - Mike Murray and Mike Bailey
Social Penetration - Mike Murray and Mike BaileySocial Penetration - Mike Murray and Mike Bailey
Social Penetration - Mike Murray and Mike Bailey
 
How really to prepare for a credit card compromise (PCI) forensics investigat...
How really to prepare for a credit card compromise (PCI) forensics investigat...How really to prepare for a credit card compromise (PCI) forensics investigat...
How really to prepare for a credit card compromise (PCI) forensics investigat...
 
Risk Management - Time to blow it up and start over? - Alex Hutton
Risk Management - Time to blow it up and start over? - Alex HuttonRisk Management - Time to blow it up and start over? - Alex Hutton
Risk Management - Time to blow it up and start over? - Alex Hutton
 
Security? Who cares! - Brett Hardin
Security? Who cares! - Brett HardinSecurity? Who cares! - Brett Hardin
Security? Who cares! - Brett Hardin
 
Advanced Persistent Threats (Shining the Light on the Industries' Best Kept S...
Advanced Persistent Threats (Shining the Light on the Industries' Best Kept S...Advanced Persistent Threats (Shining the Light on the Industries' Best Kept S...
Advanced Persistent Threats (Shining the Light on the Industries' Best Kept S...
 
Computing Risk without Numbers: A Semantic Approach to Risk Metrics - Tim Ke...
Computing Risk without Numbers: A Semantic Approach to Risk Metrics - Tim Ke...Computing Risk without Numbers: A Semantic Approach to Risk Metrics - Tim Ke...
Computing Risk without Numbers: A Semantic Approach to Risk Metrics - Tim Ke...
 
The Great Compliance Debate: No Child Left Behind or The Polio Vaccine
The Great Compliance Debate: No Child Left Behind or The Polio VaccineThe Great Compliance Debate: No Child Left Behind or The Polio Vaccine
The Great Compliance Debate: No Child Left Behind or The Polio Vaccine
 
Dominique Karg - Advanced Attack Detection using OpenSource tools
Dominique Karg - Advanced Attack Detection using OpenSource toolsDominique Karg - Advanced Attack Detection using OpenSource tools
Dominique Karg - Advanced Attack Detection using OpenSource tools
 
2009 Zacon Haroon Meer
2009 Zacon Haroon Meer2009 Zacon Haroon Meer
2009 Zacon Haroon Meer
 
From fishing to phishing to ?
From fishing to phishing to ?From fishing to phishing to ?
From fishing to phishing to ?
 
Getting punched in the face
Getting punched in the faceGetting punched in the face
Getting punched in the face
 
Make Tea Not War
Make Tea Not WarMake Tea Not War
Make Tea Not War
 
OWASP Proxy
OWASP ProxyOWASP Proxy
OWASP Proxy
 
Smashing the stats for fun (and profit)
Smashing the stats for fun (and profit)Smashing the stats for fun (and profit)
Smashing the stats for fun (and profit)
 
Exploitation
ExploitationExploitation
Exploitation
 
Efficient extraction of data using binary search and ordering information
Efficient extraction of data using binary search and ordering informationEfficient extraction of data using binary search and ordering information
Efficient extraction of data using binary search and ordering information
 
Community-oriented Computer Security Incident Response Teams (C-CSIRTS)
Community-oriented Computer Security Incident Response Teams (C-CSIRTS)Community-oriented Computer Security Incident Response Teams (C-CSIRTS)
Community-oriented Computer Security Incident Response Teams (C-CSIRTS)
 
Vulnerability Management Scoring Systems
Vulnerability Management Scoring SystemsVulnerability Management Scoring Systems
Vulnerability Management Scoring Systems
 
TCP Sorcery
TCP SorceryTCP Sorcery
TCP Sorcery
 
A future security landscape
A future security landscapeA future security landscape
A future security landscape
 

Tastes Great vs Less Filling: Deconstructing Risk Management (A Practical Approach Towards Decision Making)

  • 1. Tastes Great vs Less Filling: Deconstructing Risk Management (A Practical Approach Towards Decision Making) Michael Dahn ChaordicMind.com Thursday, April 29, 2010
  • 2. Who am I? Thursday, April 29, 2010
  • 3. Which side are you on? • « Risk Management is Dead … Long Live Risk Management »  Tastes Less Great! Filling! Thursday, April 29, 2010
  • 4. Pete Lindstrom « We have already solved the problem of Risk Management over 200 times, the problem is that we don’t know which one is right. » Thursday, April 29, 2010
  • 5. Question Group 1 Question Answe r What year was George ? Washington born? How many countries are in ? South America? How many calories in a In- ? n-Out Double-Double burger?  was Diet Coke What year ? invented? How many elements are in ? the periodic table? Thursday, April 29, 2010
  • 6. Variance? • Upper bound • Lower bound • Range (Upper – Lower) • Standard deviation Thursday, April 29, 2010
  • 7. Question Group 1 Question Answe r What year was George 1732 Washington born? How many countries are in 13 South America? How many calories in a In- 670 n-Out Double-Double burger?  was Diet Coke What year 1982 invented? How many elements are in 102 the periodic table? Thursday, April 29, 2010
  • 8. Question Group 2 Question Answe r How many languages are ? available on Flickr.com? How many breach incidents ? were reported by DatalossDB in 01/10? When did Arnold Palmer first ? win the PGA Masters Tournament? How many minutes do ? Facebook users spend on the site / month? How many contributors to ? the Encyclopedia Britannica Thursday, April 29, 2010 in 2008?
  • 9. Variance? • Upper bound • Lower bound • Range (Upper – Lower) • Standard deviation Thursday, April 29, 2010
  • 10. Question Group 2 Question Answe r How many languages are 8 available on Flickr.com? How many breach incidents 35 were reported by DatalossDB in 01/10? When did Arnold Palmer first 1958 win the PGA Masters Tournament? How many minutes do 500b Facebook users spend on the site / month? How many contributors to 4,411 the Encyclopedia Britannica Thursday, April 29, 2010 in 2008?
  • 11. Question Group 3 Question Answe What percentage of all r ? malicious code will be executed in 2012? there in How many bugs are ? Windows Vista? What is the chance a ? Wikipedia article will contain an error? will it take for an How long ? average computer to be p0wned in 2015? What is the air speed ? Thursday, April 29, 2010 velocity…
  • 12. Unknown-Unknowns • Known Knowns (KK) – People in this room now • Unknown Knowns (UK) – Population of the earth • Known Unknowns (KU) – The day I will die • Unknown Unknowns (UU) – Which risk management is right for you… Thursday, April 29, 2010
  • 13. To Know “kennen” vs “wissen” « kennen »  :: to know a fact – KK, UK, KU, UU « wissen » :: to know a concept – KK, UK, KU, UU Thursday, April 29, 2010
  • 14. Concepts vs Domains « Concepts » – an abstract or generic idea generalized from particular instances « Domain » – a sphere of knowledge, influence, or activity Domains contain Concepts Thursday, April 29, 2010
  • 15. Adam Shostack « What the industry needs it more data in order to form proper conclusions » Thursday, April 29, 2010
  • 16. I got your “more data”! Thursday, April 29, 2010
  • 17. Donn Parker Frequent-ism Due to the unknown-unknown number of data breaches, any data set we collect may be too small to statistically analyze data. « Risk-based security is impossible » « Dilligance-based security is what we need » Thursday, April 29, 2010
  • 18. Parker-nomics • Risk based approaches are nothing more than data alchemy • There is simply not enough public data available to make any sort of statistically significant conclusion when you assume that the entire population of data breaches or security failures (realistically unknown) is vastly larger Thursday, April 29, 2010
  • 19. Example Rogue Device Detection (Sampling?) Thursday, April 29, 2010
  • 20. Diligence-based Model • Diligence to avoid negligence • Compliance to meet or exceed requirements of regulations, laws, and standards to avoid penalties • Enablement to meet business and budget needs « generally agreed upon best practices » https://www.issa.org/Library/Journals/2008/January/Parker-A%20Diligence-Based%20Idealized%20Security%20Review.pdf Thursday, April 29, 2010
  • 21. Alex Hutton Bayesian-ism Probability is a probable term… « Governance without metrics and models, is superstitian  » « Governance with metrics and models , describes capability to manage risk » Thursday, April 29, 2010
  • 22. Hutton-nomics • Risk management: Time to blow it up and start over? • Evidence-based risk management – Deconstructed, notional view of risk • Metrics based management, governance, and risk – Failure if lack of data Thursday, April 29, 2010
  • 23. Managing Risk « Managing risk means aligning the capabilities of the organization, and the exposure of the organization with the tolerance of the data owners » - Jack Jones Thursday, April 29, 2010
  • 24. Managing Risk « Risk management may be hard (or even impossible)… … but we all manage risk » - Me Thursday, April 29, 2010
  • 25. Spheres of Expertise You don’t know everything « We > You » Practitioners don’t know everything « Experts > Practitioners » Next up… « Reputational weighted value » Success = more detailed info, per domain Thursday, April 29, 2010
  • 28. Domains of Knowledge Expertise Thursday, April 29, 2010
  • 29. Sounds simple? Nope « Education, education, education » « Flexibility of Domains » « More data (per domain) for risk modeling » Thursday, April 29, 2010
  • 30. Conclusion « Seek first to understand and then to be understood » « Holistic information security » « Intra-connectedness of domains drive value of (risk) data » Thursday, April 29, 2010