I challenge the validity of any risk assessment/rating approach in use today in infosec circles, whether it be OWASP or FAIR or IAM/ISAM or whatever. They are all fundamentally flawed in that they are based on qualitative values the introduce subjectivity, and they lack the historical data seen in the actuarial science to make the probability estimates even remotely reasonable. FAIR tries to compensate for this by using Bayesian statistics, but the qualitative->quantitative conversion is still highly problematic.
On prescriptive... the problem is this: businesses will not spend money unless they're required to do so. Security will never succeed without at least an initial increased spend. It is exceedingly difficult to make a well-understood business case for proper security measures and spend. I think this is something you guys in insurance (you, Chris Hayes, etc.) perhaps take for granted. The other businesses - especially SMBs - don't even understand what we're talking about, and they certainly don't have any interest in dropping a penny on "security" without seeing a direct benefit. Do I trust regulators to do things right? Of course not, but that's only one possible fork. The other possible fork is relying on the courts to finally catch-up such that case law can develop around defining "reasonable standard of care" and then evolving it over time. In either case, you need to set a definitive mark that says "you must do THIS MUCH or you will be negligent and held accountable." I hate standards like PCI as much as the next guy because I hate being told how I should be doing security, but in the short-to-mid-term it's the right approach because it tells people the expectation for performance. If you never set expectations for performance, then you shouldn't be disappointed when people don't achieve them. The bottom line here is that we need to get far more proactive in the regulatory space so that we can influence sensible regulations that mandate change rather than relying on businesses to "do the right thing" without understand the underlying business value. Conceptually, I agree with the idealist approach, but in reality I don't find that it works well at all. I've worked with a half-dozen or more companies of varying size in the last couple years and NONE of them understood risk, risk management, current security theory, or how the implicit AND explicit value of security changes. It's just not intuitive to most people, not the least of which because bad behaviors are generally divorced from tangible consequences. Anyway... :) I can go on forever on this topic... :) -ben On 2/3/10 10:06 AM, McGovern, James F. (eBusiness) wrote: > While Wall Street's definition of risk collapsed, the insurance model of > risk stood the test of time :-) > > Should we explore your question of "how are risk levels defined in > business terms" more deeply or can we simply say that if you don't have > your own industry-specific regulatory way of quantifying, a good > starting point may be to leverage the OWASP Risk Rating system? > > I also would like to challenge and say NO to prescriptive. Security > people are not Vice Presidents of the NO department. Instead we need to > figure out how to align with other value systems (Think Agile > Manifesto). We can be secure without being prescriptive. One example is > to do business exercises such as Protection Poker. > > Finally, we shouldn't say yes to regulatory mandates as most of them are > misses on the real risk at hand. The challenge here is that they always > mandate process but never competency. If a regulation said that I should > have someone with a fancy title overseeing a program, the business world > would immediately fill the slot with some non-technical resource who is > really good at PowerPoint but nothing else. In other words a figurehead. > Likewise, while regulations cause people to do things that they should > be doing independently, it has a negative side effect on our economy by > causing folks to spend money in non-strategic ways. > > -----Original Message----- > From: sc-l-boun...@securecoding.org > [mailto:sc-l-boun...@securecoding.org] On Behalf Of Benjamin Tomhave > Sent: Tuesday, February 02, 2010 10:19 PM > To: Arian J. Evans > Cc: Secure Code Mailing List > Subject: Re: [SC-L] BSIMM update (informIT) > > <soapbox>While I can't disagree with this based on modern reality, I'm > increasingly hesitant to allow the conversation to bring in risk, since > it's almost complete garbage these days. Nobody really understands it, > nobody really does it very well (especially if we redact out financial > services and insurance - and even then, look what happened to Wall > Street risk models!), and more importantly, it's implemented so shoddily > that there's no real, reasonable way to actually demonstrate risk > remediation/reduction because talking about it means bringing in a whole > other range of discussions ("what is most important to the business?" > and "how are risk levels defined in business terms?" and "what role do > data and systems play in the business strategy?" and "how does data flow > into and out of the environment?" and so on). Anyway... the long-n-short > is this: let's stop fooling ourselves by pretending that risk has > anything to do with these conversations.</soapbox> > > I think: > - yes to prescriptive! > - yes to legal/regulatory mandates! > - caution: we need some sort of evolving maturity framework to which > the previous two points can be pegged! > > cheers, > > -ben > ************************************************************ > This communication, including attachments, is for the exclusive use of > addressee and may contain proprietary, confidential and/or privileged > information. If you are not the intended recipient, any use, copying, > disclosure, dissemination or distribution is strictly prohibited. If you are > not the intended recipient, please notify the sender immediately by return > e-mail, delete this communication and destroy all copies. > ************************************************************ > > > _______________________________________________ > Secure Coding mailing list (SC-L) SC-L@securecoding.org > List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l > List charter available at - http://www.securecoding.org/list/charter.php > SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) > as a free, non-commercial service to the software security community. > _______________________________________________ > > -- Benjamin Tomhave, MS, CISSP tomh...@secureconsulting.net Blog: http://www.secureconsulting.net/ Twitter: http://twitter.com/falconsview LI: http://www.linkedin.com/in/btomhave [ Random Quote: ] "Champions aren't made in gyms. Champions are made from something they have deep inside them - a desire, a dream, a vision. They have to have last-minute stamina, they have to be a little faster, they have to have the skill and the will. But the will must be stronger than the skill." Muhammad Ali _______________________________________________ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. _______________________________________________
