ISSA ORM 2012 June 20 v0.3

Operations
Risk
‘Management’

ISSA NL
Eurojust Den Haag, June 20 2012
Jurgen van der Vlugt

Agenda

Intro

ORM

The Totalitarian Dictatorship
of the
Perfected Bureaucracy

Was Nun?
Operations Risk 'Management' ISSA June 20 2012

• Jurgen = Ir.drs. J. van der Vlugt RE CISA CRISC
• Maverisk Consultancy, IS Audit and Advisory services
(KPMG, ABN AMRO, Noordbeek, Achmea, ABN AMRO
322 (F16) sqn, RNLAF Vlb Leeuwarden-Noord)
• (IS) Audit, (Info)Security, Y2k, BCM, ERM/ORM
• ISSA, NOREA: Various committees


You

Interruptions,
Please!
• WIP
• Contestable content

(Hi Darryl! )


Agenda

Intro

→ ORM

of the

Was Nun?

Infosec; traditionally bottom-up


B2
• 5 / 95 pp. Mention of ‘O’ (incl ToC)
• ‘Guidance’ → Hobson’s choice …
… → Catch-22 (zie verderop)
• Loss db driven (stats)
• Amateur mistakes:
• Event = 1 Cause, 1 Effect … At best: ± n:1:m
• Non-orthogonal categories, weak definitions
• No time aspect, no feedback loops
• Modeling: Figure it out yourself
• Wrong model


(Intermission: Turf wars)

Many small errors; easily undone or insignificant

Freq
Material (significant) damage; will occur frequently
Ops (but is not ‘routine’)
Los
ses

Break-the-business incidents;
organization will not survive the hit

Security
Incidents
Threats to continuity

Impact


‘Risk’ ‘Methodology’

• Risk = Chance x Impact (H/M/L, 3/5-scale)
Initiële auditissues Forecast ultimo 2011

1 2

3 4 4 3

5
9

7 8 6
9
Kans

Kans
6

2
7
1

Impact Impact


Risk ‘methodologu’
• 1 Kans Shame!
• … per? Year? Transaction? Nanosecond?
• 1 Impact Shame!
• … Only financial? Reputation, etc.?
• H x H = 25 Shame!
• 3xM=H Shame!
• ’16’ > ’12’ Shame!
• Who estimates ‘H’;
how and with what evidence?
• No-one corrects that?


n:m and feedback, and time, continuity


‘In control’ …?


Wait, there’s more


Wait… even more

In particular, for any consistent,
effectively generated formal
theory that proves certain basic
arithmetic truths, there is an
arithmetical statement that is
true, but not provable in the theory.
Kurt Gödel

No matter how perfect you try to
protect, infosec incidents will
happen
Yours Truly Operations Risk 'Management' ISSA June 20 2012

‘Turkey before Thanksgiving’


Don’t start on cost issues

What was it astronaut John
Glenn said went through his mind
as he awaited lift-off?
"You're thinking you're sitting on
top of the most complex machine
ever built by man, with a million
separate components, all
supplied by the lowest bidder."


Attempting functions

∫ ( Chance × Impact )

∑( Costs of countermeasures )
For many series of functions and parameters, impact estimate
ranges (…), variable sets of countermeasures
Including variable degrees of effectiveness, with vague notions
of risk appetites in some backs of minds

(I’ll come back to that later)


Yes but …: your arguments

1. Yes we know all that. Nothing’s perfect.
2. The assumptions are reasonable.
3. The assumptions don’t really matter.
4. The assumptions are conservative.
5. You cannot prove the assumptions are wrong.
6. We only do what everyone else does.
7. The decision maker is better off with us than without us.
8. The models are not completely useless.
9. You gotta make the best of the data you’ve got.
10. You need assumptions to make progress.
11. The models deserve the benefit of the doubt.
12. Models and assumptions don’t do any harm so why bother …?

© David Freedman (in Nassim Taleb’s Black Swan)


Operational Risk (≡ ..?) ‘Management’
Evaluate design & Analysis Monitor & react
set-up

Operational Risk Problem
Management Mgt
Incidents
ORAP Inherent
Controls Risk indicators for analysis
risks (Problems)

R(S)A (K)ORC KRI Incident
(+Audit) (Mgt) (Mgt) Mgt Insu-
Designed, Tuning,
Near rance
Selected for Mandatory
misses CLD Mgt
efficiency Corrective
KRI actions
values Incidents Indemnities

Process
Breach

Agenda

Intro

ORM

→ The Totalitarian Dictatorship
of the

Was Nun?

3LoD quod non

Very, very basically

Surprise!


(Defense in Depth)

…?


Not to mention
1937 ..!


Result


The Illusion of Being In Control

Hey, Darryl again !)


(Intermission: Mandatory Reading)


Be my guest


You of course know better than the
Dakota


→


Agenda

Intro

ORM

of the

→ Was Nun?

Was nun ...? (I)


Was nun … ? (II)

In theory, nothing works, In practice, everything works,
and but no-one knows why.
Everyone knows why.

We have in our organisation a combination
of theory and practice.


Was Nun …? (III)

• Alternative approaches from the risk
perspective
→ Much better modeling
• Alternative approaches from a trust angle
(Qualitative approaches)
→ Yikes!
• Alternative approaches from the (info)sec field
→ Doing much better what needs to be done


Modeling
in
rk s
o
W re s
prog
=


Some pointers; what quant helps out?
• (F)actors
• ‘Threat’ factors, maybe or maybe not also being
• ‘Control’ factors, maybe or maybe not also being
• ‘Vulnerability’ factors
• Continuously (! in time) variable qua
• Chance
• Severity/size
• Impacts (mult.) on (variable #) other factors
• Feedback (var. #, impact, time lags) on other
factors


Which should lead to:

• All sorts of continuous functions,
continuously variable (time, parameters)
→
‘normal’ Markov chains don’t work
• Bootstrapping parameter estimations →
lots of data required
• Modeling the unk unk’s; good luck


Consumes a lot of time …
• Is all required data available?
• Are the models developed yet,
and tested for robustness …? (re parameter sensitivity ++)
• What if reality turns out to be uncontrollable ..?
(Koot&Bie, 1977)

• Ow well, we’ll just sit and wait …?

• And if we don’t get ‘it’ done:
“Inzicht, doorzicht en op tijd een banaan.”
Management ≡ Decision making with limited information!


In the mean time

• Do the right thing right
• Stress


Doing the right things right


That is complex enough in itself


The new world


And of course: Stress


(RNLAF 323sqn vlb Leeuwarden-Zuid)


We do that already, in infosec (?)

• Data- and system oriented CIA
Requirements, tests
• Defence in Depth:

( )
• Monitoring, pentesting, fallback testing, etc.


And for the risk managers in the room …


Bruce Schneier


Resultaat


Top-down and bottom-up

• And/or middle-out
• Don’t switch over but continuously all the way
• Re-think trust-/control-models
• Do The Right Thing
• Be certain there’ll be defectors

• Against diffusion of accountability,
• Watch Coase’s ceiling


High demands


Summing up
• Our (O)RM methods are wrong (not a bit)
• Enthousiastically down a blind alley
• False view on reality →
• Wrong risk management. And you know it!
• Totalitarian dictatorship of the perfected
bureaucracy doesn’t help against anything &
gives (also) false sense of In Control
• Are you part of that ..?
• Let’s ‘pre-emptively’ build some
methodology bottom-up

Solution: less, more


Yes, the methodology is Work In Progress,
hence …


That was all. Thank you.

Hope you enjoy(ed) the ride

Contact details

Jurgen van der Vlugt,
Maverisk Consultancy, IS Audit and Advisory services:

• Jvdvlugt åt maverisk døt nl
• LinkedIn, Twitter (etc.etc.)
• Tel +31-(0)6-206.648.23

• www.maverisk.nl

Motivate yourself! www.despair.com/viewall.html


(Even More Mandatory Reading)


The End, really.

Unintentionally left blank.
Really, this was not the plan. The plan called for
lots of stuff here. But noooo, it had to turn out blank. Darn.


ISSA ORM 2012 June 20 v0.3

Recommended

Recommended

More Related Content

Similar to ISSA ORM 2012 June 20 v0.3

Similar to ISSA ORM 2012 June 20 v0.3 (11)

More from Jurgen van der Vlugt

More from Jurgen van der Vlugt (13)

Recently uploaded

Recently uploaded (20)

ISSA ORM 2012 June 20 v0.3

Editor's Notes