An Approach to Risk Decision Making – a Review

Public expenditure

I decided to write a review of a paper submitted to on the subject of “An Approach to Risk Decision Making” by Curt Dalton. I must however declare an interest in this, in that I happen to report to Curt in my day job (he is global CISO), and that he was kind enough to share drafts with me as he wrote it for feedback. This will of course therefore be a somewhat biased review, although not too much, but I do hope if nothing else it generates conversation around topics and approaches like this. I have a huge respect for Curt, have learnt much from him over the last few years and hope to get a good score in the next performance review!

In essence, this model is designed to help an orgnaisation decide if it is financially viable to invest in security technology/controls/procedures in order to address a given risk. It is not designed to be used across an organisations risk management porogramme, but rather with those handful of risks that can’t be addressed in day to day operations and have to be escalated to senior management to be effectively resolved.  With limited budget and access to that senior leadership, this approach provides support and guidance on what to ‘fix’ and what not to fix.

This scope is a key element of the model; it uses very traditional approaches to monetizing risk versus the more in vogue approach I have reviewed elsewhere in this blog. To that end it uses assigned numerical values to elements of its calculations; this is of course where ‘errors’ may creep in, but in theory an experienced risk manager familiar with their environment should be able to assess this reasonably well.

In summary, the model is as follows:


Figure 2 in the model requires an analysis of controls required to address a risk.


This does of course beg the question, how do you know you have all of the controls required and how do you know you have selected the correct numerical value? Again, the pragmatist in me suggests this is entirely possible with someone who is familiar with the environment and the organisation, but this may of course be more difficult in other situations.

Figure 3 does a similar thing with a similar level of granularity, i.e. defining in nine increments the ease of exploitation of a given risk; where I think there is potentially something missing is that this value applies to ALL of the risks listed in figure 2 rather than individually.


Obviously this would massively increase the complexity of the solution but this is a deliberate approach to ensure simplicity across the model.

These two numbers are then combined with a simple calculation of impact to etsablish a level of monetized risk. Finally, the 80/20 rule (or Pareto’s Principal) is used as a rule of thunmb to define the actual budget that should be spent to mitigate a risk. In the example given therefore a monetized risk of roughly $1.5m USD should be mitigated by spending up to $380k USD and no more. The Pareto Principal can of course be adjusted accoring to your organisations risk appetite, that is, the more risk averse the organisation the more the rule would move from 80/20 to 70/30 or 60/40 etc..

There are a lot of assumptions used in this model, not least the numerical values that may seem to be arbitrarily assigned. However, I believe this can be forgiven for the very simple reason that this is a pragmatic, transparent and easily understood approach; it can be easily transferred into an Excel spreadsheet meaning that some simple modelling can be carried out. I have said before that until the newer approach to risk management has a more easily understood and implentable approach it will not be adopted. This model does.

The other part to this model that I like is that it is not designed to be a cure all, but rather a tool to help organisations decide where to spend money. If the approach is understood then an informed decision can be made within the constraints of that model (or indeed any other model). I believe it is influenced by the ISO27005 approach to risk management which means many risk management folks will be able to grasp and adopt it more easily.

Overall, this is a model that can be adopted quickly and easily by many organisations, and implemented successfully, as long as its basis in assigning numerical values is understood, and calculations are carried out by those in a position to understand their risk profile well. I would strongly recommend you tai a look at the model yourself over at Wired Innovation Insights.

Pros – easily understand, pragmatic, focussed on one business issue, easily implemented.

Cons – relies on assigning ‘arbitrary’ numerical values, doesn’t address granularity of risk and ease of exploiutation.

Why the Feds will still be attending DefCon

not_a_cia_undercover_agent_tee_shirt-r9461211bf55a482f9a192e013ac3584c_804gs_216This is not a the type of post you normally get from me but I felt compelled to jump out of my comfort zone given the amount of coverage that DefCon is getting as a result of banning “Feds” from attending DefCon 21 this year.

My personal opinion on this is somewhat irrelevant given DefCon is not the type of conference I attend given the core topics covered are not my day job. For what it is worth however I am a staunch believer in having as open and transparent a dialogue between two opposing viewpoints as possible, and therefore feel this is an odd and somewhat self defeating decision.

But perhaps more importantly I feel there is something of a naiveté surrounding the fact that 1) people think the message will be taken seriously by the Feds, and 2) that the Feds have not successfully been undercover there anyway.

I know that the “Spot the Fed” fun that occurs every year is seen as proof that the general community of attendees is able to spot the government moles that attend. I find this preposterous though! Whatever department of “Fed” it is that attends, be it the NSA, FBI, CIA or other TLA agency I think it is germane to appreciate that these are a group of people who successfully infiltrate  organisations far more dangerous than DefCon, and for far longer periods. Undercover operations are taken extremely seriously, require extraordinary amounts of character and commitment, and are not easily undermined. I am sure someone with the power of Google will be able to find the odd example of undercover operations that have gone awry, but to my mind, there are likely to be more Feds at DefCon than anyone would think, and there have been for years.

I am not going to go into what the motives for doing this are, that is for people far more politically minded than me. I would however suggest that this years Spot the Fed competition will be a dud, not because they aren’t there, but because the Feds who attend in plain sight won’t be attending. Who will you be sitting next to at DefCon this year, and how much about them do you really know?

Taking RANT to New Levels

Noise Next Door giving conferences a new twist

Noise Next Door giving conferences a new twist

For a variety of reasons I have been unable to post here as frequently as I have liked, but the great advantage of attending a conference is that it does spur one into action to get something written down. Tuesday Jun 11th saw a new kind of conference come to town, the RANT conference. Based upon the monthly RANT forum there were only three individual speakers with the rest of the sessions effectively panel debates but with significantly more audience interaction encouraged.

There were a number of highlights for me, not least all of the people I met there, new friends and old. One of the big surprises for me was the opening keynote from Mark Stevenson of the League of Pragmatic Optimists. I thought it an odd choice of speaker, a futurologist, but very much enjoyed his talk once I got over myself. he looked at (amongst many other things)  how the digital revolution is changing our lives daily. What it came down to though is that despite the massive amount of change that has gone before us, the digital revolution is merely the cocktail sausage of dinner; we cannot begin to imagine what is around the corner.

I also enjoyed watching Javvad play up to his InfoSec rockstar status alongside Neira Jones and the irrepressible Stephen Bonner. It was unfortunate that the final panellist, Ed Gibson, killed the dynamic of the panel dead, changing what should have been an upbeat and funny session into a monologue of personal dislikes that crossed the line into embarrassing.  I thought Javvad played to his RockStar persona very well, but also presented how he made his way to the level of industry notoriety he currently enjoys and the benefits it actually brings to the industry. The serious point of them actually being ambassadors for infosec was quite rightly made. Unfortunately Ed did the same for the next panel on state sponsored espionage, killing what should have been a powerful insight into the topic given his background. I understand Ed is a very highly rated speaker, but on the evidence of yesterday I won’t be rushing to see him speak, and how he handled himself was unfair on the other panellists and indeed on us as an audience.

The Boy Band Strikes back

The Boy Band Strikes back

The rest of the day went very well though, with plenty of laughs with the University Challenged pitting the grey hairs of the industry against the students of Royal Holloway, and a session on security awareness that I was invited to participate in alongside Geordie Stewart, Charles Clarke, Christian Toon and my old mate Bruce Hallas. The reaction from the audience was very positive, with some great questions and opinions. We didn’t all agree, which is exactly what needs to happen; if we all agree, nothing changes, but if there is dissent then that can finally lead to actually driving change in the industry. On the whole it was well received and moderated nicely by Jim Shields, although someone did tweet that he thought the conversation was “same old same old re training me thinks” which is actually fair enough; I do think however that we can only stop talking about it when it is “fixed” (whatever that means!).

Stephen Bonner’s presentation was a distinct improvement upon what he presented at BSides, and was a thoroughly enjoyable rant, replete with chocolate missiles for the audience.

The excellent Twist and Shout were managing the video and photography, and shared many of their corporate training videos in the breaks between sessions that not only gave a very polished and slick feel to the whole day, but also some light relief.

Networking drinks were copious and enjoyable, and the dinner was excellent with after dinner entertainment from Jim Shields in his stand up comedian alter ego and an improv comedy troupe Noise next Door. A fuzzy head this morning tells me I had perhaps a little too much fun.

It was an awesome conference overall, and I hope to see it grow and become part of the established circuit. The format can only get better as while there is a place for the traditional presentation of one person delivering content and then taking some questions has its place, there is a huge advantage to the RANT approach. It allows the audience to engage far more effectively and I would hazard a guess that the audience actually retains more than the standard 20% of content afterwards. Huge congratulations to Acumin for not only making it happen, but also for ensuring it was as free from the commercialisation of so many other vendor driven events, a hugely refreshing approach. The biggest congratulation of the day though must go to Gemma for making it happen.


From Paris With Love; the oncoming storm of the generational gap

frompariswithlove_1The media has been awash with stories about Paris Brown, the UK’s first youth police and crime commissioner who felt she had no option to resign even before formally taking up her post as a result of allegedly offensive messages she had posted on Twitter.

To many, she had done nothing wrong; here was a teenager who was simply testing and pushing the boundaries of her adolescent world, sharing views and comments in her private life in an attempt to learn, identify with and grow into an adult. She had been chosen from a large number of candidates for this role precisely because she was typical of many of her peers, and her views of the world and the society she lived in, warts and all, were almost a requirement of the role in the first place.

To others, she was demonstrating vulgar and offensive sensibilities in a public domain that have no place in a role in public office. To that end Kent Police are currently reviewing the tweets in question so ascertain if a case should be made against her.

I believe this is going to be the thin end of the wedge, and that many more instances of issues like this will come through over the coming  years. This is going to have, in my opinion, a number of ramifications in our industry in a number of areas:

BYOD. The adoption of smartphones across society combined with bring your own device policies across industries has meant that the boundaries between personal and professional life are becoming increasingly blurred. This blurring means that people will increasingly lose the definition between what can and can’t be shared from the workplace which is going to become an issue. Sharing confidential documents via a BYOD enabled smartphone to personal accounts so they can be worked from home is not going to be seen as an issue; the content is on “my” device after all. Tweeting or blogging about activities from the workplace is increasingly the norm, even if those activities are confidential or secret. Even the acronym NSFW, not safe for work, has evolved to identify what content may or not be suitable for viewing and sharing in the workplace (how else can I get the time to view all of this awesome content?). As quickly as NSFW has come about I predict it’s demise as these boundaries crumble and fall and anything and everything will be considered as acceptable to view at work as long as it is on “my device”.

Privacy vs Personal.  There has been a growing trend amongst recruiters to look at the social media profiles of potential candidates. There is nothing illegal or unethical in this per se, although even standard police employment checks for the kind of role Paris Brown was entering into don’t specifically call out the need for social media checks/reviews. This is the dichotomy of the situation; how can I expect privacy when I do not observe it with my company data, and yet posting my weekends antics to my friends should remain with my friends, and yet this is the very real expectation it seems. How long will it be before this crashing realisation for a generation of people that what they have done in their adolescent years as they grew up really wasn’t just between friends but between the whole world, and put them at a distinct disadvantage in the job market? And will this realisation bring a raft of legislation along the lines of age discrimination, that disallows the use of this information during interview? There have already been cases of prospective employers in the US asking for Facebook credentials of candidates in order to check their backgrounds. Whilst this does cross moral, ethical and professional lines in many of our books, this is the inevitable alternative if this legislation doesn’t come in. As an infosec industry we will be on the front line of educating people of these consequences and potentially enforcing any incoming legislation in the workplace.

Professionalism in our Industry. But what about the here and now? As a profession we are held to a high standard of professional standards and ethics. All the organisations that we affiliate ourselves with to one extent or another have clear professional ethics. If during the recruitment process you have an opportunity to review somebodies social media background, would you take it? How would you use that information, and to what extent would a checkered social life influence your decisions? There are two sides to this of course; do your professional ethics stop you from looking (or just taking action from them), but then again would you want someone who appears to display a lack of self control and publicly put themselves into position of vulnerability that may allow them to be more easily bribed or blackmailed in an area that demands high levels of security and trust?

This generational gap in appreciation of the long lasting impacts of current social media in the world of big data is an area I believe is yet to be addressed fully. The sociological impacts of a series of younger generations engaging with an always on culture of social media are not yet fully understood and should be explored further. I hope the above is dipping a toe in the water of this huge body of water. Ultimately, if you are not paying for it, you are not the customer; you are the product…


RANT Panel Debate: “Should You Train Your Users on Security Awareness?”

I spent last night with five eloquent, passionate and above all opinionated colleagues arguing the pros and cons of security awareness training. We were doing this at the monthly Acumin RANT forum to a packed crowd who, as always, were not shy in holding back on their opinions.

The Crowd, who make RANT what it is!

The Crowd, who make RANT what it is!

We had two stand ins replacing Christian Toon and Kai Roer in the form of Bernadette Palmer and Andrew Agnes both of whom bought a huge amount of experience, opinion and humour to the evening. The lineup therefore was:


(The Award Winning) Javvad Malik, @j4vv4d

Bernadette Palmer

Andrew Agnes @sirjester



Geordie Stewart

Rowenna Fielding @infosecgeeklady

We did a standard pre vote just before starting (we garnered no votes and a lot of good natured laughs as expected!) and then we went straight into the standard For and Against cycle with me kicking off. Nobody had briefed me (or perhaps I hadn’t listened…) that we were reducing our standard six minutes each down to three! A quick reshuffle in my head and we were off. The photos may look like I am singing Karaoke, but beneath the entertaining exterior was my serious message!

I have posted my core arguments to this blog before so I won’t rehash them here again but what followed over the next eighty minutes was hugely interactive, passionate, thought provoking and hilarious! With a few dongle and fork gags thrown in this debate had everything! Of course there was no real conclusion but at the closing vote there was a small but very definite swing in our favour, hooray!

The Karaoke King!

The Karaoke King!

What I found the most interesting however was that on the whole our arguments converged; we all acknowledged that information security training as it stands now is simply not working. What we do with it however, was where the real debate lay. Do you throw the whole lot out and start form scratch or do you continue to try and fix what we have? I think this is the dilemma we need to face up to sooner rather than later in the industry, once of course we accept that our training programs don’t work. That part is where the industry needs the most help.

I normally try and stay around after these kinds of events and listen to other peoples opinions, gather feedback and generally mingle. Tonight however I had dinner with a few folks (@jimshout, @j4vv4d, @sirjester, @jee2uu) to discuss an upcoming project. More on that in the next few months but it was a productive and exciting evening overall.

Finally, there was some footage taken of the evening by Gemma of Acumin; like all my footage if it ever sees the light of day I will get it posted here as soon as possible! As always a huge thank you to Gemma, Simon, Chris et al from Acumin for not only making this happen but asking me to be a part of it.

Andrew Agnes

Andrew Agnes

Geordie Stewart

Geordie Stewart