The different view of risk modelling

3 Comments

Traffic lightAs someone whose primary function at work is the ‘management’ of risk in all of its glorious forms, I have over the years become very comfortable with its accepted definition and how to measure it. ISO 27005:2008 was my bible, giving me the flexibility to choose a schema that worked for my particular environment as well as the credence that I was doing it right. I always knew that assigning arbitrary numbers to things wasn’t exactly the most scientific way of actually measuring something, but I could deal with that by simply talking about “indicative values” and “helps with prioritisation”.

It was a little under two years ago at the RSA conference that I attended a talk entitled “Pimp My Risk Model: Getting Resilient in a Complex World” by David Porter, and he spoke about a new approach to risk modelling. Rather than focussing on what could happen, and then play that through to the conclusion of an impact that is then measured, it instead focussed on what the desirable outcomes were in the first place and then worked backwards establishing what was required to achieve them, basically dependency modelling. Not only was this more efficient and scalable as not all permutations of threat/vulnerability/asset (for instance) are required to be worked out, it provides better information for early decision making.

The concept is not new, and has its roots in the late last century in the financial markets/actuaries who were looking at better ways to model and manage risk.

There are a number of proponents to this approach, all of whom have a far better understanding than me of this approach, but despite this in the last two years I have simply not seen it in a practical form that can be used every day. Unfortunately, and I am sure I am not alone here, if I can’t implement it quickly it gets passed over for the next best thing that can be. In fact, and perhaps in my own blinkered universe, the approach itself barely raised a murmour since. And yet the concept had stuck with me especially on the few occasions when I had heard it talked about.

It was on Russell Thomas’s blog, exploringpossibilityspace, that I saw just the other day this very approach being touted again. What I enjoyed about this post was the balanced and educational view of the traditional approach (little “r” approach in Russells’s parlance) versus the new dependency modeling approach (big “R”). I think the criticism of ‘r” methods is well founded, although it is widely understood in business and when used properly can help produce at the very least tactical indicators of risk to the business.

My challenge with the ‘R’ approach is that I have yet to see it applied in practical terms and in a way that is easy to digest and understand (I think I hurt myself about two thirds of the way down the article trying to get to grips with the concepts!). As a result therefore, getting business buy in is going to be extremely challenging. Partial information from an ‘r’ approach reaching the business successfully is going to be better than no information from an ‘R’ approach (however better the data is) reaching the business.

I would strongly recommend everyone to read Russell’s writings on this risak model, which also contains links to other resources as well.

There is more work to be done, but I hope it focuses on making it possible to use the approaching a day to day environment; they say there is nothing new in the world of information security, but I have high hopes for an approach to risk modeling that will allow me to do so much more for the business in terms of long term, strategic guidance and support.

And when I can use this model in Excel, count me in!

<Some of you have commented on my extended absence, but a busy few weeks followed by a lovely holiday camping in France took priority. Back in the saddle now and very much looking forward to your comments and feedback!>

Charlie?1 (2)

Charlie?1

 

Why I am an Analogies Project contributor

1 Comment

Bruce_Hallas-300x286That devilishly handsome bloke you see to the right is Bruce Hallas. I used to go to school with him nearly 25 years ago, and then last summer, at the first old boys school reunion that our year organised since leaving I met him again, and it turns out we are in the same infosec business. I spoke to him about all of the good work I am doing, the company I work for, the many countries I visited and generally tried to make myself feel more important than the skinny eighteen year old I was when I last saw him. He told me that he runs his own infosec consultancy, his own blog, works with the UK government, and was in the process of setting up “a project” as a freely available, self funding, resource of analogies/stories to help people better understand information security. (Bruce immediately won the “my life is awesome since leaving school” competition of course.)

Since that time, The Analogies Project has grown from one man, an idea and a website to something producing real, quality content, and with a very promising and bright future.

In the words of the Project itself;

The Analogies Project has a clear mission. To tackle the unintelligibility of information security head on and secure the engagement of a much broader audience. Its aim is to bridge the chasm between the users, stakeholders and beneficiaries of information security and those responsible for delivering it.

Through a series of innovative initiatives the Analogies Project will enable information security professionals to effectively communicate with their chosen audiences. The content will be delivered through a variety of alternative communication techniques, media and partners.

The part of this project that I like the most is that it is essentially a community project. Bruce isn’t charging money for membership to the analogies as they are written (and they are coming thick and fast now!), and none of the contributors are charging for their work either. There are not only the web contributions in the form of a library, but a book planned, a conference, and even an opera! With the momentum that is currently behind the project at the moment there is every reason to believe in its future success.

So why am I contributing? Honestly, I have selfish and philanthropic reasons to do so. Obviously it gets my name out there, allows me to practise my writing, test some ideas and also say “I was there from the start”. All that aside though, I have frequently struggled in my day job to get infosec concepts across to people, either directly, in meetings or even in awareness training. To have had a resource like this available to me five years ago would have made my life so much easier, allowed me to advance the infosec “cause” more effectively and given me a set of tools I knew were consistant with the prevailing thoughts of industry commentators. Having a centralised, peer validated, toolkit available is fundamental to us as professionals when it comes to the messaging we give to our users, clients, bosses, teams and even the infosec community as a whole.

It’s still early days, but I have submitted my first contribution just last week (soon to be published I hope) and I am already inspired enough to be working on my second and third. There are a number of analogies already in place, and I would urge you to read them and consider them in the context of your current communications to your audiences, whomever they may be.  The book will be another important milestone and one I hope to play a part in; indeed I hope to be able to play a part in the the project for the forseeable future, and why I am happy and proud to display my “contributor” badge up on the top right of this site.

TAP-Contributor-Semi-Transparent-250x160

If you feel you have something to contribute, then head over to The Analogies Project and let Bruce and the organisers know. If you don’t feel ready to, then certainly check it out anyway. You won’t regret it.

One Award, Two Conferences and a Surprise in the Works

5 Comments

IMG_2138IMG_2153I am just returning from a very full three days in west London for the annual infosec conference season. I will do my best to name as many of the wonderful people I met throughout all three days, both new and old, but if I miss a namecheck or two, forgive me, let me know, and I will rectify immediately!

Tuesday bought the kick off of InfoSec Europe. After a quick run round to get some schwag  and chat with a few key vendors I had lunch with Cindy (@cindyv), Dwayne (@thatdwayne), Jitender (@jitenderarora), Javvad (@j4vv4d) and Brian (@brianhonan) to chat about RSA Europe and our proposed submissions. This was quickly followed by a couple of panels in the Keynote theatre (one moderated by Javvad) and then some good gossiping with Brian and Neira (@neirajones) before heading off to one the two award ceremonies of the night.

Well goodness, gosh and golly!

Well goodness, gosh and golly!

It was at this point the evening took a somewhat surreal turn. Having been nominated for Best Personal Security Blog at the inaugural European Security Bloggers Awards, I was both deeply honoured and supremely surprised to win!  I was also very proud to see Javvad pick up two awards as well. To say that the evening started to blur somewhat from that point on would be an understatement, but I am glad to say that the award itself did make it home safely. I did spend quite some time talking with Dwayne and Jack (@jackdaniel), predominantly about the mysogeny that still manages to find its way into infosec trade shows through booth babes that were supposedly banned form this years infosec show (looking at you ForeScout…) and then about possibly spinning up a BSides in India. Jack proved what a class act he was by offering to advise anyone who would be willing to take on this mantle in India, something I am hoping to encourage. I will be posting more on the awards in the next few days but suffice to say a huge thank you to Brian and Jack for making these awards happen.

Wednesday bought BSidesLondon. Whilst I was very disappointed not to have been able to speak it did take the pressure off considerably and I was able to enjoy a few good talks

Javvad and his heroes

Javvad and his heroes

(javvad and Stephen Bonner, @stephenbonner) and some great conversations with friends and colleagues. Max (@hoolers) if you are reading this, I apologise unreservedly for not getting around to having the chat I promised! I also managed to meet my “rookie” for the Rookie Track, Gavin (@gavinholt), as well as a great chat with Leron (@le_rond). Halfway through the afternoon I had to head back to InfoSec for my a panel I was a part of on BYOD and Consumerisation. This went very well, was entertaining and informative in my opinion, and despite two attempts at distracting me by Geordie Stewart and Andrew (@sirjester) completed without incident!

View from the panel

View from the panel

A quick visit to the RANT forum (@rantforum) was followed by a couple of drinks at the BSidesLondon after party and then an early night.

Thursday bought a couple of early meetings including Bruce to discuss the Analogies Project (@analogies) which is always a pleasure. I then formally went on vacation…

The rest of the day was taken up with filming for a project I am involved in with Javvad, Andrew and the very talented Jim (@jimshields) of Twist & Shout. More of that to follow in the coming few weeks but I am incredibly excited at what this project may bring not just to me personally but also to the infosec community as a whole (for instance, a sense of humour…).

After dinner with @secwonk, @gattaca, @turbodog, @anthonymfreed, Cindy, Javvad and Andrew, a weary but very satisfied Mr Langford returned home.

Highlights

  • Winning the Best Personal Security Blog Award
  • Thursday afternoon (see above)
  • ForeScout’s apparent admittance that they needed booth babes to help sell their product

Lowlights

  • Missing Gavin’s presentation because of a scheduling conflict
  • Not finding myself spoilt for choice for presentations to attend at BSides – I thought the choice was predominantly technical and not as broad as last year. Still a great conference, well run and with a huge amount of talent; just less applicable to me this year.

From Paris With Love; the oncoming storm of the generational gap

Leave a comment

frompariswithlove_1The media has been awash with stories about Paris Brown, the UK’s first youth police and crime commissioner who felt she had no option to resign even before formally taking up her post as a result of allegedly offensive messages she had posted on Twitter.

To many, she had done nothing wrong; here was a teenager who was simply testing and pushing the boundaries of her adolescent world, sharing views and comments in her private life in an attempt to learn, identify with and grow into an adult. She had been chosen from a large number of candidates for this role precisely because she was typical of many of her peers, and her views of the world and the society she lived in, warts and all, were almost a requirement of the role in the first place.

To others, she was demonstrating vulgar and offensive sensibilities in a public domain that have no place in a role in public office. To that end Kent Police are currently reviewing the tweets in question so ascertain if a case should be made against her.

I believe this is going to be the thin end of the wedge, and that many more instances of issues like this will come through over the coming  years. This is going to have, in my opinion, a number of ramifications in our industry in a number of areas:

BYOD. The adoption of smartphones across society combined with bring your own device policies across industries has meant that the boundaries between personal and professional life are becoming increasingly blurred. This blurring means that people will increasingly lose the definition between what can and can’t be shared from the workplace which is going to become an issue. Sharing confidential documents via a BYOD enabled smartphone to personal accounts so they can be worked from home is not going to be seen as an issue; the content is on “my” device after all. Tweeting or blogging about activities from the workplace is increasingly the norm, even if those activities are confidential or secret. Even the acronym NSFW, not safe for work, has evolved to identify what content may or not be suitable for viewing and sharing in the workplace (how else can I get the time to view all of this awesome content?). As quickly as NSFW has come about I predict it’s demise as these boundaries crumble and fall and anything and everything will be considered as acceptable to view at work as long as it is on “my device”.

Privacy vs Personal.  There has been a growing trend amongst recruiters to look at the social media profiles of potential candidates. There is nothing illegal or unethical in this per se, although even standard police employment checks for the kind of role Paris Brown was entering into don’t specifically call out the need for social media checks/reviews. This is the dichotomy of the situation; how can I expect privacy when I do not observe it with my company data, and yet posting my weekends antics to my friends should remain with my friends, and yet this is the very real expectation it seems. How long will it be before this crashing realisation for a generation of people that what they have done in their adolescent years as they grew up really wasn’t just between friends but between the whole world, and put them at a distinct disadvantage in the job market? And will this realisation bring a raft of legislation along the lines of age discrimination, that disallows the use of this information during interview? There have already been cases of prospective employers in the US asking for Facebook credentials of candidates in order to check their backgrounds. Whilst this does cross moral, ethical and professional lines in many of our books, this is the inevitable alternative if this legislation doesn’t come in. As an infosec industry we will be on the front line of educating people of these consequences and potentially enforcing any incoming legislation in the workplace.

Professionalism in our Industry. But what about the here and now? As a profession we are held to a high standard of professional standards and ethics. All the organisations that we affiliate ourselves with to one extent or another have clear professional ethics. If during the recruitment process you have an opportunity to review somebodies social media background, would you take it? How would you use that information, and to what extent would a checkered social life influence your decisions? There are two sides to this of course; do your professional ethics stop you from looking (or just taking action from them), but then again would you want someone who appears to display a lack of self control and publicly put themselves into position of vulnerability that may allow them to be more easily bribed or blackmailed in an area that demands high levels of security and trust?

This generational gap in appreciation of the long lasting impacts of current social media in the world of big data is an area I believe is yet to be addressed fully. The sociological impacts of a series of younger generations engaging with an always on culture of social media are not yet fully understood and should be explored further. I hope the above is dipping a toe in the water of this huge body of water. Ultimately, if you are not paying for it, you are not the customer; you are the product…

h330E1FA4

eCrime and Information Security Congress

2 Comments

IMG_0002I presented at the eCrime and Information Security Congress on Wednesday, and had a terrific time presenting on my thoughts around making risk assessments more effective for the business. It was probably the largest audience I have presented to, and the stage and AV set up was suitably impressive. I had the support of two fine upstanding members of the infosec community (as well as @j4vv4d and @sirjester…) throughout the day and was fortunate enough to get some great feedback from both the organisers (in the form of @jonhawes) and Javvad after the event.

The key points I was making were:

  1. Ensure your risk management programme is producing the quality data that subsequently becomes business information.
  2. Know how to present your information in a compelling manner to ensure your message (and business information) gets across to the right people.
  3. Understand the connection between your activities and your organisations primary purpose, whatever that may be.

The presentation ran to just under twenty minutes but unfortunately the house style appeared to be not to field questions at the end. I felt I engaged well with the audience and had some unsolicited feedback to that effect afterwards, but I would have welcomed the opportunity to chat around the ideas and cocepts I was putting forwards. If anybody who watched the presentation reads this post please don’t hesitate to ask something!

IMG_0001

As usual I have posted the slides below; I also intend to post a movie of the slides with a voiceover, but those of you who are still waiting for the footage from an event I did in September will know how prompt I am in creating these film. Javvad I am not!

The event itself appeared to be very well attended by both the public and sponsors, in fact a huge number of sponsors compared to even RSA Europe last year. The break out session were apparently very useful (I was unable to attend any as i arrived only for the last half of the second day, but heard good things about them), and above all the food was excellent!

Thanks to the folks at AKJ Associates for inviting me to speak, and especially to Jon Hawes. With a bit of luck I will be doing more of this in the coming months.

CIA Triangle eCrimes Congress PDF