:: History ::
OWASP Austin [Lightning Talk] - July 31, 2012
:: Summary ::
Risk is commonly misunderstood in the security community. Examining the nature of risk will help us explain how it applies to security professionals.
:: Abstract ::
Risk is commonly misunderstood in the security community. However, the fundamental nature of risk is universal and analysis methods have been studied in other risk domains for quite some time. If we standardize our language, we can communicate more accurately with each other and leverage the collective knowledge of the risk analysis community.
7. The Bald Tire
Scenario Analysis
Identify the components in this
scenario:
THREATS
VULNERABILITIES
RISKS
@pjbeyer allthingsphil.com
8. Asset
Risk depends on the ASSET
How many ASSETS did you consider?
The ASSET is the bald tire
@pjbeyer allthingsphil.com
9. Threat
Risk depends on the THREAT
How many THREATS did you
consider?
The THREAT is the earth and the
force of gravity that it applies
@pjbeyer allthingsphil.com
10. Vulnerability
Risk depends on VULNERABILITY
How did you consider
VULNERABILITY?
Vulnerability depends on the THREAT
The potential VULNERABILITY is the
frayed rope
@pjbeyer allthingsphil.com
11. Risk
the probable frequency and
probable magnitude of
future loss
@pjbeyer allthingsphil.com
12. Risk Analysis
Risk is a derived value
Risk is a probability issue
Risk has both a frequency and a
magnitude component
The fundamental nature of Risk is
universal, regardless of context
@pjbeyer allthingsphil.com
13. Probability
Possible
Probable
Predictable
photo credit: Wally Gobetz (flickr.com)
@pjbeyer
14. Shaman or Scientist
You might be a Security Shaman if you...
Assign risk based solely on
"industry best practices"
Don't use a framework which yields
repeatable risk analysis results
Can't rationally explain your risk
analysis
@pjbeyer allthingsphil.com
15. Taxonomy
Risk
Loss Event Loss
Frequency Magnitude
Threat Event Secondary
Vulnerability Primary LM
Frequency Risk
Threat Capability Resistance Strength
17. Loss Event Frequency
Threat Event
Vulnerability
Frequency
@pjbeyer allthingsphil.com
18. Loss Magnitude
Primary Loss Secondary
Magnitude Risk
@pjbeyer allthingsphil.com
19. Risk
Loss Event Loss
Frequency Magnitude
@pjbeyer allthingsphil.com
20. FAIR
Don't be a Security Shaman!
Factor Analysis of Information Risk
fairwiki.riskmanagementinsight.com
@pjbeyer allthingsphil.com
21. This work is licensed under a Creative
Commons Attribution-NonCommercial-
ShareAlike 3.0 Unported License
Editor's Notes
Risk is commonly misunderstood in the security community.\nLet's explain Risk in terms of its components, look at a taxonomy, and introduce scientific risk analysis.\n
\n\n
The Bald Tire Scenario #1\nPicture in your mind a bald car tire. Imagine that it’s so bald you can hardly tell that it ever had tread. How much risk is there?\n
The Bald Tire Scenario #2\nNext, imagine that the bald tire is tied to a rope hanging from a tree branch. How much risk is there?\n
The Bald Tire Scenario #3\nNext, imagine that the rope is frayed about halfway through, just below where it’s tied to the tree branch. How much risk is there?\n
The Bald Tire Scenario #4\nFinally, imagine that the tire swing is suspended over an 80-foot cliff with sharp rocks below. How much risk is there?\n
Now, identify the following components within the scenario. What were the:\n- Threats\n- Vulnerabilities\n- Risks\n
Risk can't be calculated without identifying the asset.\nThis scenario only includes a single asset.\nWhat asset assumptions did you make at each step of the scenario?\n\nIn the context of information risk, we can define Asset as any data, device, or other component of the environment that supports information-related activities, which can be illicitly accessed, used, disclosed, altered, destroyed, and/or stolen, resulting in loss.\n
A threat acts against an asset in a manner that can result in harm.\nDifferent threats have different capabilities.\nConsider the same scenario with a squirrel intent on gnawing through the rope.\n\nA reasonable definition for Threat is anything (e.g., object, substance, human, etc.) that is capable of acting against an asset in a manner that can result in harm. A tornado is a threat, as is a flood, as is a hacker. The key consideration is that threats apply the force (water, wind, exploit code, etc.) against an asset that can cause a loss event to occur.\n
An asset is vulnerable to a threat.\nVulnerability is a derived value.\nCalculating vulnerability has everything to do with the threat.\nConsider the same scenario with a frayed steel cable.\n\nYou may have wondered why “potential” is emphasized when I identified the frayed rope as a potential vulnerability. The reason it’s only a potential vulnerability is that we first have to ask the question, “Vulnerable to what?” If our frayed rope still had a tensile strength of 2000 pounds per square inch, its vulnerability to the weight of a tire would, for all practical purposes, be virtually zero. If our scenario had included a squirrel gnawing on the frayed rope, then he also would be considered a threat, and the rope’s hardness would determine its vulnerability to that threat. A steel cable (even a frayed one) would not be particularly vulnerable to our furry friend. The point is that vulnerability is always dependent upon the type and level of force being applied.\n
Risk depends on threat, vulnerability, and asset characteristics.\nRisk is a derived value.\nCalculating risk has everything to do with how you frame the scenario.\n\nThe following definition applies regardless of whether you’re talking about investment risk, market risk, credit risk, information risk, or any of the other commonly referenced risk domains:\n\nRisk: the probable frequency and probable magnitude of future loss\n\nIn other words “how frequently something bad is likely to happen, and how much loss is likely to result.” As stated above, these probabilities are derived from the combination of threat, vulnerability, and asset characteristics.\n
Risk is a derived value... Let that sink in.\nProbability, frequency, and magnitude are all involved.\nInformation risk is no different from any other risk domain in business, government, or life.\n
What is probability?\nIt is POSSIBLE that an Alaskan Brown Bear will come through that door and maul me right now. However, it is not PROBABLE.\nI'm very confident that the PROBABILITY of rolling snake eyes on a pair of 6-sided dice is 1 in 36. I'm not at all confident in the PREDICTABILITY of when that roll will occur.\n\nPossibility is a binary condition, either something is possible, or it's not.\nProbability reflects the continuum between absolute certainty and impossibility.\nPredictability is a level of confidence in a forecast about what will happen.\n
A shaman prescribes a remedy based upon what his forefathers have passed down to him.\nSome shamans may be extremely intuitive and great at what they do, but they are artists, not scientists.\nA shaman can't credibly explain why the cure works.\n\nScientific analysis leads to deeper understanding.\nThe scientific method is: define the problem; substantiate a theory; propose and test a hypothesis; come to a conclusion; learn something.\n\nBest practices are often based on long-held shamanistic solutions, tend to be one-size-fits-all, may evolve more slowly than the conditions in which they're used, and can too often be used as a crutch (e.g. "I can't explain why, so I'll just point to the fact that everyone else is doing it this way.").\n
Don't be a Security Shaman!\nDerive your Risk!\n
Don't be a Security Shaman!\nDerive the Vulnerability of your Assets!\n
Don't be a Security Shaman!\nDerive the frequency of your Loss Events!\n
Don't be a Security Shaman!\nDerive the Magnitude of a probable Loss!\n
Don't be a Security Shaman!\nDerive your Risk!\n