Secure Coding mailing list archives
BSIMM update (informIT)
From: James.McGovern at thehartford.com (McGovern, James F. (eBusiness))
Date: Wed, 3 Feb 2010 12:05:07 -0500
OK, being the insurance enterprisey security guy I think you may be onto something. One of the many reasons why actuarial science can work in insurance is the fact that there is a lot more public data than in IT security. If you smash your car into a wall, your chosen carrier doesn't just pay the claim. This information is shared in what we refer to as the CLUE database. Other carriers should you decide to switch carriers will also know the characteristics of your loss. CLUE works because folks have figured out that sharing of negative information can benefit the business. Likewise, CLUE did enough homework to figure out the right taxonomy and metadata in order to make it happen. Have security professionals ever figured out how to turn something bad into something good for the same organization? Have security professionals ever figured out even how to describe a security "event" in a consistent enough way such that acturial type calculations could occur... FYI. Clue is successful and isn't done for regulatory reasons. It is done for sound business practice. The same model we should operate within... -----Original Message----- From: Benjamin Tomhave [mailto:list-spam at secureconsulting.net] Sent: Wednesday, February 03, 2010 11:07 AM To: McGovern, James F. (P+C Technology) Cc: Secure Code Mailing List Subject: Re: [SC-L] BSIMM update (informIT) I challenge the validity of any risk assessment/rating approach in use today in infosec circles, whether it be OWASP or FAIR or IAM/ISAM or whatever. They are all fundamentally flawed in that they are based on qualitative values the introduce subjectivity, and they lack the historical data seen in the actuarial science to make the probability estimates even remotely reasonable. FAIR tries to compensate for this by using Bayesian statistics, but the qualitative->quantitative conversion is still highly problematic. On prescriptive... the problem is this: businesses will not spend money unless they're required to do so. Security will never succeed without at least an initial increased spend. It is exceedingly difficult to make a well-understood business case for proper security measures and spend. I think this is something you guys in insurance (you, Chris Hayes, etc.) perhaps take for granted. The other businesses - especially SMBs - don't even understand what we're talking about, and they certainly don't have any interest in dropping a penny on "security" without seeing a direct benefit. Do I trust regulators to do things right? Of course not, but that's only one possible fork. The other possible fork is relying on the courts to finally catch-up such that case law can develop around defining "reasonable standard of care" and then evolving it over time. In either case, you need to set a definitive mark that says "you must do THIS MUCH or you will be negligent and held accountable." I hate standards like PCI as much as the next guy because I hate being told how I should be doing security, but in the short-to-mid-term it's the right approach because it tells people the expectation for performance. If you never set expectations for performance, then you shouldn't be disappointed when people don't achieve them. The bottom line here is that we need to get far more proactive in the regulatory space so that we can influence sensible regulations that mandate change rather than relying on businesses to "do the right thing" without understand the underlying business value. Conceptually, I agree with the idealist approach, but in reality I don't find that it works well at all. I've worked with a half-dozen or more companies of varying size in the last couple years and NONE of them understood risk, risk management, current security theory, or how the implicit AND explicit value of security changes. It's just not intuitive to most people, not the least of which because bad behaviors are generally divorced from tangible consequences. Anyway... :) I can go on forever on this topic... :) -ben On 2/3/10 10:06 AM, McGovern, James F. (eBusiness) wrote:
While Wall Street's definition of risk collapsed, the insurance model of risk stood the test of time :-) Should we explore your question of "how are risk levels defined in business terms" more deeply or can we simply say that if you don't have your own industry-specific regulatory way of quantifying, a good starting point may be to leverage the OWASP Risk Rating system? I also would like to challenge and say NO to prescriptive. Security people are not Vice Presidents of the NO department. Instead we need to figure out how to align with other value systems (Think Agile Manifesto). We can be secure without being prescriptive. One example is to do business exercises such as Protection Poker. Finally, we shouldn't say yes to regulatory mandates as most of them are misses on the real risk at hand. The challenge here is that they always mandate process but never competency. If a regulation said that
I should have someone with a fancy title overseeing a program, the business world would immediately fill the slot with some non-technical
resource who is really good at PowerPoint but nothing else. In other
words a figurehead.
Likewise, while regulations cause people to do things that they should
be doing independently, it has a negative side effect on our economy by causing folks to spend money in non-strategic ways. -----Original Message----- From: sc-l-bounces at securecoding.org [mailto:sc-l-bounces at securecoding.org] On Behalf Of Benjamin Tomhave Sent: Tuesday, February 02, 2010 10:19 PM To: Arian J. Evans Cc: Secure Code Mailing List Subject: Re: [SC-L] BSIMM update (informIT) <soapbox>While I can't disagree with this based on modern reality, I'm
increasingly hesitant to allow the conversation to bring in risk, since it's almost complete garbage these days. Nobody really understands it, nobody really does it very well (especially if we redact out financial services and insurance - and even then, look what
happened to Wall Street risk models!), and more importantly, it's
implemented so shoddily that there's no real, reasonable way to
actually demonstrate risk remediation/reduction because talking about
it means bringing in a whole other range of discussions ("what is most
important to the business?"
and "how are risk levels defined in business terms?" and "what role do
data and systems play in the business strategy?" and "how does data flow into and out of the environment?" and so on). Anyway... the long-n-short is this: let's stop fooling ourselves by pretending that risk has anything to do with these conversations.</soapbox> I think: - yes to prescriptive! - yes to legal/regulatory mandates! - caution: we need some sort of evolving maturity framework to which the previous two points can be pegged! cheers, -ben ************************************************************ This communication, including attachments, is for the exclusive use of
addressee and may contain proprietary, confidential and/or privileged information. If you are not the intended recipient, any use, copying, disclosure, dissemination or distribution is strictly prohibited. If you are not the intended recipient, please notify the sender immediately by return e-mail, delete this communication and destroy all copies.
************************************************************ _______________________________________________ Secure Coding mailing list (SC-L) SC-L at securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the
software security community.
_______________________________________________
-- Benjamin Tomhave, MS, CISSP tomhave at secureconsulting.net Blog: http://www.secureconsulting.net/ Twitter: http://twitter.com/falconsview LI: http://www.linkedin.com/in/btomhave [ Random Quote: ] "Champions aren't made in gyms. Champions are made from something they have deep inside them - a desire, a dream, a vision. They have to have last-minute stamina, they have to be a little faster, they have to have the skill and the will. But the will must be stronger than the skill." Muhammad Ali ************************************************************ This communication, including attachments, is for the exclusive use of addressee and may contain proprietary, confidential and/or privileged information. If you are not the intended recipient, any use, copying, disclosure, dissemination or distribution is strictly prohibited. If you are not the intended recipient, please notify the sender immediately by return e-mail, delete this communication and destroy all copies. ************************************************************
Current thread:
- BSIMM update (informIT), (continued)
- BSIMM update (informIT) Arian J. Evans (Feb 02)
- BSIMM update (informIT) Steven M. Christey (Feb 02)
- BSIMM update (informIT) Mike Boberski (Feb 02)
- BSIMM update (informIT) Gary McGraw (Feb 03)
- BSIMM update (informIT) Gary McGraw (Feb 03)
- BSIMM update (informIT) Arian J. Evans (Feb 02)
- BSIMM update (informIT) Mike Boberski (Feb 02)
- BSIMM update (informIT) Gary McGraw (Feb 03)
- BSIMM update (informIT) Benjamin Tomhave (Feb 02)
- BSIMM update (informIT) McGovern, James F. (eBusiness) (Feb 03)
- BSIMM update (informIT) Benjamin Tomhave (Feb 03)
- BSIMM update (informIT) McGovern, James F. (eBusiness) (Feb 03)
- BSIMM update (informIT) Gary McGraw (Feb 03)
- BSIMM update (informIT) Arian J. Evans (Feb 04)