Tastes Great vs Less Filling:
                    Deconstructing Risk
                        Management
             (A P...
Who am I?




Thursday, April 29, 2010
Which side are you on?
                           • « Risk Management is Dead …
                             Long Live Ris...
Pete Lindstrom




      « We have already solved the problem of
        Risk Management over 200 times, the
        probl...
Question Group 1
                                     Question            Answe
                                          ...
Variance?

                           •   Upper bound
                           •   Lower bound
                         ...
Question Group 1
                                     Question            Answe
                                          ...
Question Group 2
                                     Question             Answe
                                         ...
Variance?

                           •   Upper bound
                           •   Lower bound
                         ...
Question Group 2
                                    Question           Answe
                                            ...
Question Group 3
                                      Question             Answe
                            What percent...
Unknown-Unknowns

                           • Known Knowns (KK)
                             – People in this room now
  ...
To Know
                           “kennen” vs “wissen”
                           
 « kennen » 
                         ...
Concepts vs Domains
                           
 « Concepts »
                             – an abstract or generic idea
 ...
Adam Shostack




      « What the industry needs it more data
        in order to form proper conclusions »




Thursday,...
I got your “more data”!




Thursday, April 29, 2010
Donn Parker

         Frequent-ism

      Due to the unknown-unknown number of data
        breaches, any data set we coll...
Parker-nomics
                           • Risk based approaches are
                             nothing more than data
 ...
Example
                           Rogue Device Detection
                                (Sampling?)




Thursday, April ...
Diligence-based Model
                            • Diligence to avoid negligence
                            • Compliance...
Alex Hutton


          Bayesian-ism
      Probability is a probable term…
      « Governance without metrics and
        ...
Hutton-nomics
                           • Risk management: Time to
                             blow it up and start over...
Managing Risk

                           « Managing risk means
                             aligning the capabilities of
...
Managing Risk

                           « Risk management may be
                             hard (or even impossible)…...
Spheres of Expertise

                             You don’t know everything
                                « We > You »
...
Thursday, April 29, 2010
Thursday, April 29, 2010
Domains of Knowledge
                                Expertise




Thursday, April 29, 2010
Sounds simple? Nope
                            « Education, education,
                              education »

       ...
Conclusion

      « Seek first to understand and then to
        be understood »
      « Holistic information security »
  ...
Upcoming SlideShare
Loading in …5
×

Tastes Great vs Less Filling: Deconstructing Risk Management (A Practical Approach Towards Decision Making)

1,270 views

Published on

Just as there are two sides to every coin, there are two schools of thought in risk management. One camp believes that there is never enough data to make statistically significant risk decisions, due to the unknown-unknowns and never really knowing the entire population of data breaches. Another camp believes that we have well detailed information about specific domains and using Bayesian math we can come to conclusions on how to manage risk. Regardless of the group or believe in risk management the fact is that we all manage risk. This session will discuss the two camps and propose a hybrid model that goes beyond technical details into the core of trusted knowledge relationships.

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
1,270
On SlideShare
0
From Embeds
0
Number of Embeds
9
Actions
Shares
0
Downloads
31
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Tastes Great vs Less Filling: Deconstructing Risk Management (A Practical Approach Towards Decision Making)

  1. 1. Tastes Great vs Less Filling: Deconstructing Risk Management (A Practical Approach Towards Decision Making) Michael Dahn ChaordicMind.com Thursday, April 29, 2010
  2. 2. Who am I? Thursday, April 29, 2010
  3. 3. Which side are you on? • « Risk Management is Dead … Long Live Risk Management »  Tastes Less Great! Filling! Thursday, April 29, 2010
  4. 4. Pete Lindstrom « We have already solved the problem of Risk Management over 200 times, the problem is that we don’t know which one is right. » Thursday, April 29, 2010
  5. 5. Question Group 1 Question Answe r What year was George ? Washington born? How many countries are in ? South America? How many calories in a In- ? n-Out Double-Double burger?  was Diet Coke What year ? invented? How many elements are in ? the periodic table? Thursday, April 29, 2010
  6. 6. Variance? • Upper bound • Lower bound • Range (Upper – Lower) • Standard deviation Thursday, April 29, 2010
  7. 7. Question Group 1 Question Answe r What year was George 1732 Washington born? How many countries are in 13 South America? How many calories in a In- 670 n-Out Double-Double burger?  was Diet Coke What year 1982 invented? How many elements are in 102 the periodic table? Thursday, April 29, 2010
  8. 8. Question Group 2 Question Answe r How many languages are ? available on Flickr.com? How many breach incidents ? were reported by DatalossDB in 01/10? When did Arnold Palmer first ? win the PGA Masters Tournament? How many minutes do ? Facebook users spend on the site / month? How many contributors to ? the Encyclopedia Britannica Thursday, April 29, 2010 in 2008?
  9. 9. Variance? • Upper bound • Lower bound • Range (Upper – Lower) • Standard deviation Thursday, April 29, 2010
  10. 10. Question Group 2 Question Answe r How many languages are 8 available on Flickr.com? How many breach incidents 35 were reported by DatalossDB in 01/10? When did Arnold Palmer first 1958 win the PGA Masters Tournament? How many minutes do 500b Facebook users spend on the site / month? How many contributors to 4,411 the Encyclopedia Britannica Thursday, April 29, 2010 in 2008?
  11. 11. Question Group 3 Question Answe What percentage of all r ? malicious code will be executed in 2012? there in How many bugs are ? Windows Vista? What is the chance a ? Wikipedia article will contain an error? will it take for an How long ? average computer to be p0wned in 2015? What is the air speed ? Thursday, April 29, 2010 velocity…
  12. 12. Unknown-Unknowns • Known Knowns (KK) – People in this room now • Unknown Knowns (UK) – Population of the earth • Known Unknowns (KU) – The day I will die • Unknown Unknowns (UU) – Which risk management is right for you… Thursday, April 29, 2010
  13. 13. To Know “kennen” vs “wissen” « kennen »  :: to know a fact – KK, UK, KU, UU « wissen » :: to know a concept – KK, UK, KU, UU Thursday, April 29, 2010
  14. 14. Concepts vs Domains « Concepts » – an abstract or generic idea generalized from particular instances « Domain » – a sphere of knowledge, influence, or activity Domains contain Concepts Thursday, April 29, 2010
  15. 15. Adam Shostack « What the industry needs it more data in order to form proper conclusions » Thursday, April 29, 2010
  16. 16. I got your “more data”! Thursday, April 29, 2010
  17. 17. Donn Parker Frequent-ism Due to the unknown-unknown number of data breaches, any data set we collect may be too small to statistically analyze data. « Risk-based security is impossible » « Dilligance-based security is what we need » Thursday, April 29, 2010
  18. 18. Parker-nomics • Risk based approaches are nothing more than data alchemy • There is simply not enough public data available to make any sort of statistically significant conclusion when you assume that the entire population of data breaches or security failures (realistically unknown) is vastly larger Thursday, April 29, 2010
  19. 19. Example Rogue Device Detection (Sampling?) Thursday, April 29, 2010
  20. 20. Diligence-based Model • Diligence to avoid negligence • Compliance to meet or exceed requirements of regulations, laws, and standards to avoid penalties • Enablement to meet business and budget needs « generally agreed upon best practices » https://www.issa.org/Library/Journals/2008/January/Parker-A%20Diligence-Based%20Idealized%20Security%20Review.pdf Thursday, April 29, 2010
  21. 21. Alex Hutton Bayesian-ism Probability is a probable term… « Governance without metrics and models, is superstitian  » « Governance with metrics and models , describes capability to manage risk » Thursday, April 29, 2010
  22. 22. Hutton-nomics • Risk management: Time to blow it up and start over? • Evidence-based risk management – Deconstructed, notional view of risk • Metrics based management, governance, and risk – Failure if lack of data Thursday, April 29, 2010
  23. 23. Managing Risk « Managing risk means aligning the capabilities of the organization, and the exposure of the organization with the tolerance of the data owners » - Jack Jones Thursday, April 29, 2010
  24. 24. Managing Risk « Risk management may be hard (or even impossible)… … but we all manage risk » - Me Thursday, April 29, 2010
  25. 25. Spheres of Expertise You don’t know everything « We > You » Practitioners don’t know everything « Experts > Practitioners » Next up… « Reputational weighted value » Success = more detailed info, per domain Thursday, April 29, 2010
  26. 26. Thursday, April 29, 2010
  27. 27. Thursday, April 29, 2010
  28. 28. Domains of Knowledge Expertise Thursday, April 29, 2010
  29. 29. Sounds simple? Nope « Education, education, education » « Flexibility of Domains » « More data (per domain) for risk modeling » Thursday, April 29, 2010
  30. 30. Conclusion « Seek first to understand and then to be understood » « Holistic information security » « Intra-connectedness of domains drive value of (risk) data » Thursday, April 29, 2010

×