SlideShare a Scribd company logo

Security Assurance

Download as DOCX, PDF
Roger Johnston
Roger Johnston

Security Assurance: A dangerous idea.

Government & Nonprofit
1 of 3
Journal of Physical Security 13(1), 2-4 (2020) 2 Viewpoint Paper Security Assurance* Roger G. Johnston, Ph.D., CPP http://rbsekurity.com If you lookfor truth, you may find comfortin the end; if you lookfor comfortyouwill get neither truth nor comfort…only softsoap and wishful thinking to begin, and in the end, despair. -- C.S. Lewis (1898-1963) Security Assurance is gaining confidence that our security has a good probability of handling the threats we face, and that we are not wasting money in doing so. I would argue that Security Assurance is something that often must be provided to stake- holders (including taxpayers) and the organization’s leadership, but should not be part of a security program or security strategy per se. Confidence in security is always over-confidence, if not arrogance and complacency. I don’t want security managers and others who provide security to be assured; I want them to be sweating bullets. That is simply the dismal nature of Security. The old adage has it right: “If you are happy with your security, so are the bad guys.” Security managers and security programs should seek to optimize their security through prudent Risk Management, but they should not seek dubious comfort from bogus confirmation that everything is swell. Do a good job with the Risk Management on a continuing basis, and you have done all you can do to have good security. Forget about the assurance part. Good Risk Management requires, among other things, data inputs from Vulnerability Assessments (which are often missing [1]); Threat Assessments; and Risk Assessments; along with information about the organization’s budget, resources, and appetite for risk; the assets needing protection; and the possible long- and short-term consequences of security failures. Good Risk Management also requires sound judgement, prescience, an ability to balance tradeoffs, prudent value judgements, objective and quantitative analysis, subjective and qualitative analysis, and the ability to leverage hunches and sound intuition. I personally believe it should also include something like Marginal Analysis [1]. ________ *This paper was not peer reviewed.
Journal of Physical Security 13(1), 2-4 (2020) 3 Now it must be said that the need to provide “assurance” to stakeholders and organizational leaders is largely unavoidable. This is, however, more about marketing/fund-raising, public relations, educating stakeholders about security issues, and making return-on-investment (ROI) arguments than it is about security per se. Certainly the stakeholders (being security amateurs) can be provided with a simplified discussion of the Risk Management that has been under- taken, and why certain decisions were made based on recognized threats, vulnerabilities, attack scenarios, and possible consequences of attacks. High-level executives can be warned about what happened to other organizations and their executives when the organizations were attacked and lacked adequate security measures. Two caveats here, however. Firstly, ROI—arguing that security expenditure returns value— has proven to be very ineffective. High-level corporate and government executives are often highly unimaginative, or else quite willing to live with substantial security risk for the few years they have left before retiring, being fired, or moving to a more prestigious position elsewhere. The odds are that the bad security incidents being envisioned won’t happen on their watch. Even if they do, there are plenty of scapegoats that can be named, including the CSO, CISO, and lower-level people. Better to increase corporate profitability, the executives may reason, at least from the standpoint of their personal interests and reputation. The second caveat is that scaring executives about bad consequences of potential security failures or actual failures that happened elsewhere can work, but crying wolf too many times undercuts its effectiveness. One thing that is crystal-clear about Security Assurance is that it must never be based on the results of Vulnerability Assessments (VAs). If it is, there will be enormous pressure (conscious and unconscious) to not find vulnerabilities in order to gain a false sense of security. This will result in both bad VAs and bad security. For similar reasons, security testing must never be used for Security Assurance. (Note that Security Testing is NOT the same thing as Vulnerability Assessments.[1]). We learn the most from Security Tests when we fail them, but if they are the source of confidence in our security, the tests will most likely no longer be made relevant or challenging. Moreover, we can’t really test what we have not envisioned—thus the need for imaginative, proactive VAs where we think like the bad guys. Testing also has other serious limitations such as the difficulty of making the tests realistic, and the fact that testing can look at only a small fraction of the possible vulnerabilities, attack scenarios, and countermeasures that an imaginative VA can uncover. In my view, Security Testing should mostly be for practice and to keep front-line security personnel entertained and engaged. Tests can help us somewhat understand our vulnerabilities, but they are not nearly as effective at this as a good Vulnerability Assessment.
Journal of Physical Security 13(1), 2-4 (2020) 4 In summary, I think we need to worry less about Security Assurance and do a better job with Risk Management, including doing more and better Vulnerability Assessments. We also need to avoid confusing VAs with other techniques that are not as good at uncovering vulnerabilities, attacks scenarios, and possible countermeasures. References 1. RG Johnston, Vulnerability Assessment: The Missing Manual for the Missing Link, https://www.amazon.com/dp/B08C9D73Z9

Recommended

Making the Business Case for Security Investment
Making the Business Case for Security InvestmentMaking the Business Case for Security Investment
Making the Business Case for Security InvestmentRoger Johnston
 
The Critical Incident Response Maturity Journey
The Critical Incident Response Maturity JourneyThe Critical Incident Response Maturity Journey
The Critical Incident Response Maturity JourneyEMC
 
Chief Information Security Officer - A Critical Leadership Role
Chief Information Security Officer - A Critical Leadership RoleChief Information Security Officer - A Critical Leadership Role
Chief Information Security Officer - A Critical Leadership RoleBrian Donovan
 
THE EFFECT OF INFORMATION TECHNOLOGY USING ENTERPRISE SECURITY RISK MANAGEMENT
THE EFFECT OF INFORMATION TECHNOLOGY USING ENTERPRISE SECURITY RISK MANAGEMENTTHE EFFECT OF INFORMATION TECHNOLOGY USING ENTERPRISE SECURITY RISK MANAGEMENT
THE EFFECT OF INFORMATION TECHNOLOGY USING ENTERPRISE SECURITY RISK MANAGEMENTIJNSA Journal
 
Adversarial Safety Analysis
Adversarial Safety AnalysisAdversarial Safety Analysis
Adversarial Safety AnalysisRoger Johnston
 
Int:rsect: CEO Address with Will Anderson
Int:rsect: CEO Address with Will AndersonInt:rsect: CEO Address with Will Anderson
Int:rsect: CEO Address with Will AndersonResolver Inc.
 
Emerging Need of a Chief Information Security Officer (CISO)
Emerging Need of a Chief Information Security Officer (CISO)Emerging Need of a Chief Information Security Officer (CISO)
Emerging Need of a Chief Information Security Officer (CISO)Maurice Dawson
 
New Risk Management Paradigm for Not-For-Profits
New Risk Management Paradigm for Not-For-ProfitsNew Risk Management Paradigm for Not-For-Profits
New Risk Management Paradigm for Not-For-ProfitsDavid X Martin
 

Recommended

Making the Business Case for Security Investment
Making the Business Case for Security InvestmentMaking the Business Case for Security Investment
Making the Business Case for Security InvestmentRoger Johnston
 
The Critical Incident Response Maturity Journey
The Critical Incident Response Maturity JourneyThe Critical Incident Response Maturity Journey
The Critical Incident Response Maturity JourneyEMC
 
Chief Information Security Officer - A Critical Leadership Role
Chief Information Security Officer - A Critical Leadership RoleChief Information Security Officer - A Critical Leadership Role
Chief Information Security Officer - A Critical Leadership RoleBrian Donovan
 
THE EFFECT OF INFORMATION TECHNOLOGY USING ENTERPRISE SECURITY RISK MANAGEMENT
THE EFFECT OF INFORMATION TECHNOLOGY USING ENTERPRISE SECURITY RISK MANAGEMENTTHE EFFECT OF INFORMATION TECHNOLOGY USING ENTERPRISE SECURITY RISK MANAGEMENT
THE EFFECT OF INFORMATION TECHNOLOGY USING ENTERPRISE SECURITY RISK MANAGEMENTIJNSA Journal
 
Adversarial Safety Analysis
Adversarial Safety AnalysisAdversarial Safety Analysis
Adversarial Safety AnalysisRoger Johnston
 
Int:rsect: CEO Address with Will Anderson
Int:rsect: CEO Address with Will AndersonInt:rsect: CEO Address with Will Anderson
Int:rsect: CEO Address with Will AndersonResolver Inc.
 
Emerging Need of a Chief Information Security Officer (CISO)
Emerging Need of a Chief Information Security Officer (CISO)Emerging Need of a Chief Information Security Officer (CISO)
Emerging Need of a Chief Information Security Officer (CISO)Maurice Dawson
 
New Risk Management Paradigm for Not-For-Profits
New Risk Management Paradigm for Not-For-ProfitsNew Risk Management Paradigm for Not-For-Profits
New Risk Management Paradigm for Not-For-ProfitsDavid X Martin
 
Compliance vs Security
Compliance vs SecurityCompliance vs Security
Compliance vs SecurityRoger Johnston
 
CROs must be part of the cybersecurity solution by david x martin
CROs must be part of the cybersecurity solution by david x martinCROs must be part of the cybersecurity solution by david x martin
CROs must be part of the cybersecurity solution by david x martinDavid X Martin
 
Sensible defence
Sensible defenceSensible defence
Sensible defenceKoen Maris
 
Risk Management Infographic
Risk Management InfographicRisk Management Infographic
Risk Management InfographicSAP Analytics
 
Insurance risk mgmnt
Insurance risk mgmntInsurance risk mgmnt
Insurance risk mgmntDr. Ravneet Kaur
 
Priming your digital immune system: Cybersecurity in the cognitive era
Priming your digital immune system: Cybersecurity in the cognitive eraPriming your digital immune system: Cybersecurity in the cognitive era
Priming your digital immune system: Cybersecurity in the cognitive eraLuke Farrell
 
Unconventional Security Metrics & Marginal Analysis
Unconventional Security Metrics & Marginal AnalysisUnconventional Security Metrics & Marginal Analysis
Unconventional Security Metrics & Marginal AnalysisRoger Johnston
 
Risk Management Methodology - Copy
Risk Management Methodology - CopyRisk Management Methodology - Copy
Risk Management Methodology - CopyRabah Odeh ITIL 5.0-OCP-CISA-PMP-OCP..etc
 
It risk assessment
It risk assessmentIt risk assessment
It risk assessmentHappiest Minds Technologies
 
Executive Travel, Keeping Your Employees Safe
Executive Travel, Keeping Your Employees SafeExecutive Travel, Keeping Your Employees Safe
Executive Travel, Keeping Your Employees SafeResolver Inc.
 
Planning a move from Perspective to CORE
Planning a move from Perspective to COREPlanning a move from Perspective to CORE
Planning a move from Perspective to COREResolver Inc.
 
Rcs webinar 1 2011_06_23
Rcs webinar 1 2011_06_23Rcs webinar 1 2011_06_23
Rcs webinar 1 2011_06_23Jeff Bodin
 
Creating an Enterprise-Wide Workplace Violence & Threat Assessment Team
Creating an Enterprise-Wide Workplace Violence & Threat Assessment TeamCreating an Enterprise-Wide Workplace Violence & Threat Assessment Team
Creating an Enterprise-Wide Workplace Violence & Threat Assessment TeamResolver Inc.
 
The Cio And Crisis Leadership, An Examination
The Cio And Crisis Leadership, An ExaminationThe Cio And Crisis Leadership, An Examination
The Cio And Crisis Leadership, An Examinationdbriner
 
Risk Budgeting & Manager Allocation
Risk Budgeting & Manager AllocationRisk Budgeting & Manager Allocation
Risk Budgeting & Manager Allocationgcjohnsen
 
CyberSecurity Automation
CyberSecurity AutomationCyberSecurity Automation
CyberSecurity AutomationSiemplify
 
Managing Reputation
Managing ReputationManaging Reputation
Managing ReputationAdrian Clements
 
Risk Equation
Risk EquationRisk Equation
Risk EquationAdesh Rampat
 
Generic_Sample_incidentresponseplanIRP_ISS_2016
Generic_Sample_incidentresponseplanIRP_ISS_2016Generic_Sample_incidentresponseplanIRP_ISS_2016
Generic_Sample_incidentresponseplanIRP_ISS_2016Samuel Loomis
 
Wisegate_GeekSpeak_LG
Wisegate_GeekSpeak_LGWisegate_GeekSpeak_LG
Wisegate_GeekSpeak_LGBrian T. O'Hara CISA, CISM, CRISC, CCSP, CISSP
 
Convergence of Security Risks
Convergence of Security RisksConvergence of Security Risks
Convergence of Security RisksEnterprise Security Risk Management
 
Vulnerability Assessment Myths
Vulnerability Assessment MythsVulnerability Assessment Myths
Vulnerability Assessment MythsRoger Johnston
 

More Related Content

What's hot

Compliance vs Security
Compliance vs SecurityCompliance vs Security
Compliance vs SecurityRoger Johnston
 
CROs must be part of the cybersecurity solution by david x martin
CROs must be part of the cybersecurity solution by david x martinCROs must be part of the cybersecurity solution by david x martin
CROs must be part of the cybersecurity solution by david x martinDavid X Martin
 
Sensible defence
Sensible defenceSensible defence
Sensible defenceKoen Maris
 
Risk Management Infographic
Risk Management InfographicRisk Management Infographic
Risk Management InfographicSAP Analytics
 
Priming your digital immune system: Cybersecurity in the cognitive era
Priming your digital immune system: Cybersecurity in the cognitive eraPriming your digital immune system: Cybersecurity in the cognitive era
Priming your digital immune system: Cybersecurity in the cognitive eraLuke Farrell
 
Unconventional Security Metrics & Marginal Analysis
Unconventional Security Metrics & Marginal AnalysisUnconventional Security Metrics & Marginal Analysis
Unconventional Security Metrics & Marginal AnalysisRoger Johnston
 
Executive Travel, Keeping Your Employees Safe
Executive Travel, Keeping Your Employees SafeExecutive Travel, Keeping Your Employees Safe
Executive Travel, Keeping Your Employees SafeResolver Inc.
 
Planning a move from Perspective to CORE
Planning a move from Perspective to COREPlanning a move from Perspective to CORE
Planning a move from Perspective to COREResolver Inc.
 
Rcs webinar 1 2011_06_23
Rcs webinar 1 2011_06_23Rcs webinar 1 2011_06_23
Rcs webinar 1 2011_06_23Jeff Bodin
 
Creating an Enterprise-Wide Workplace Violence & Threat Assessment Team
Creating an Enterprise-Wide Workplace Violence & Threat Assessment TeamCreating an Enterprise-Wide Workplace Violence & Threat Assessment Team
Creating an Enterprise-Wide Workplace Violence & Threat Assessment TeamResolver Inc.
 
The Cio And Crisis Leadership, An Examination
The Cio And Crisis Leadership, An ExaminationThe Cio And Crisis Leadership, An Examination
The Cio And Crisis Leadership, An Examinationdbriner
 
Risk Budgeting & Manager Allocation
Risk Budgeting & Manager AllocationRisk Budgeting & Manager Allocation
Risk Budgeting & Manager Allocationgcjohnsen
 
CyberSecurity Automation
CyberSecurity AutomationCyberSecurity Automation
CyberSecurity AutomationSiemplify
 
Generic_Sample_incidentresponseplanIRP_ISS_2016
Generic_Sample_incidentresponseplanIRP_ISS_2016Generic_Sample_incidentresponseplanIRP_ISS_2016
Generic_Sample_incidentresponseplanIRP_ISS_2016Samuel Loomis
 

What's hot (19)

Compliance vs Security
Compliance vs SecurityCompliance vs Security
Compliance vs Security
 
CROs must be part of the cybersecurity solution by david x martin
CROs must be part of the cybersecurity solution by david x martinCROs must be part of the cybersecurity solution by david x martin
CROs must be part of the cybersecurity solution by david x martin
 
Sensible defence
Sensible defenceSensible defence
Sensible defence
 
Risk Management Infographic
Risk Management InfographicRisk Management Infographic
Risk Management Infographic
 
Insurance risk mgmnt
Insurance risk mgmntInsurance risk mgmnt
Insurance risk mgmnt
 
Priming your digital immune system: Cybersecurity in the cognitive era
Priming your digital immune system: Cybersecurity in the cognitive eraPriming your digital immune system: Cybersecurity in the cognitive era
Priming your digital immune system: Cybersecurity in the cognitive era
 
Unconventional Security Metrics & Marginal Analysis
Unconventional Security Metrics & Marginal AnalysisUnconventional Security Metrics & Marginal Analysis
Unconventional Security Metrics & Marginal Analysis
 
Risk Management Methodology - Copy
Risk Management Methodology - CopyRisk Management Methodology - Copy
Risk Management Methodology - Copy
 
It risk assessment
It risk assessmentIt risk assessment
It risk assessment
 
Executive Travel, Keeping Your Employees Safe
Executive Travel, Keeping Your Employees SafeExecutive Travel, Keeping Your Employees Safe
Executive Travel, Keeping Your Employees Safe
 
Planning a move from Perspective to CORE
Planning a move from Perspective to COREPlanning a move from Perspective to CORE
Planning a move from Perspective to CORE
 
Rcs webinar 1 2011_06_23
Rcs webinar 1 2011_06_23Rcs webinar 1 2011_06_23
Rcs webinar 1 2011_06_23
 
Creating an Enterprise-Wide Workplace Violence & Threat Assessment Team
Creating an Enterprise-Wide Workplace Violence & Threat Assessment TeamCreating an Enterprise-Wide Workplace Violence & Threat Assessment Team
Creating an Enterprise-Wide Workplace Violence & Threat Assessment Team
 
The Cio And Crisis Leadership, An Examination
The Cio And Crisis Leadership, An ExaminationThe Cio And Crisis Leadership, An Examination
The Cio And Crisis Leadership, An Examination
 
Risk Budgeting & Manager Allocation
Risk Budgeting & Manager AllocationRisk Budgeting & Manager Allocation
Risk Budgeting & Manager Allocation
 
CyberSecurity Automation
CyberSecurity AutomationCyberSecurity Automation
CyberSecurity Automation
 
Managing Reputation
Managing ReputationManaging Reputation
Managing Reputation
 
Risk Equation
Risk EquationRisk Equation
Risk Equation
 
Generic_Sample_incidentresponseplanIRP_ISS_2016
Generic_Sample_incidentresponseplanIRP_ISS_2016Generic_Sample_incidentresponseplanIRP_ISS_2016
Generic_Sample_incidentresponseplanIRP_ISS_2016
 

Similar to Security Assurance

Vulnerability Assessment Myths
Vulnerability Assessment MythsVulnerability Assessment Myths
Vulnerability Assessment MythsRoger Johnston
 
Insuring your future: Cybersecurity and the insurance industry
Insuring your future: Cybersecurity and the insurance industryInsuring your future: Cybersecurity and the insurance industry
Insuring your future: Cybersecurity and the insurance industryAccenture Insurance
 
THE UNITED STATES NAVAL WAR COLLEGE U.S. Navy.docx
THE UNITED STATES NAVAL WAR COLLEGE U.S. Navy.docxTHE UNITED STATES NAVAL WAR COLLEGE U.S. Navy.docx
THE UNITED STATES NAVAL WAR COLLEGE U.S. Navy.docxarnoldmeredith47041
 
answer original forum with a minimum of 500 words and respond to bot.docx
answer original forum with a minimum of 500 words and respond to bot.docxanswer original forum with a minimum of 500 words and respond to bot.docx
answer original forum with a minimum of 500 words and respond to bot.docxYASHU40
 
ERM -01- Introduction 06-10-2022.pptx
ERM -01- Introduction 06-10-2022.pptxERM -01- Introduction 06-10-2022.pptx
ERM -01- Introduction 06-10-2022.pptxManiPSamRCBS
 
Trust by Design: Rethinking Technology Risk
Trust by Design: Rethinking Technology RiskTrust by Design: Rethinking Technology Risk
Trust by Design: Rethinking Technology RiskSwatantra Kumar
 
The Storms A Coming Risk Management
The Storms A Coming Risk ManagementThe Storms A Coming Risk Management
The Storms A Coming Risk Managementtravismcmurray
 
TRUST: DIFFERENT VIEWS, ONE GOAL
TRUST: DIFFERENT VIEWS, ONE GOALTRUST: DIFFERENT VIEWS, ONE GOAL
TRUST: DIFFERENT VIEWS, ONE GOALijsptm
 
PECB Webinar: Aligning ISO 31000 and Management of Risk Methodology
PECB Webinar: Aligning ISO 31000 and Management of Risk MethodologyPECB Webinar: Aligning ISO 31000 and Management of Risk Methodology
PECB Webinar: Aligning ISO 31000 and Management of Risk MethodologyPECB
 
cybersecurity-series-2019-threat-hunting.pdf
cybersecurity-series-2019-threat-hunting.pdfcybersecurity-series-2019-threat-hunting.pdf
cybersecurity-series-2019-threat-hunting.pdfCecilSu
 
Basic Security Concepts JMSupan 2019 Edition
Basic Security Concepts JMSupan 2019 EditionBasic Security Concepts JMSupan 2019 Edition
Basic Security Concepts JMSupan 2019 EditionJOEL JESUS SUPAN
 
Improving Healthcare Risk Assessments to Maximize Security Budgets
Improving Healthcare Risk Assessments to Maximize Security BudgetsImproving Healthcare Risk Assessments to Maximize Security Budgets
Improving Healthcare Risk Assessments to Maximize Security BudgetsMatthew Rosenquist
 
Uncertainty short
Uncertainty shortUncertainty short
Uncertainty shortMo Aiken
 
Design Reviews Versus Vulnerability Assessments for Physical Security
Design Reviews Versus Vulnerability Assessments for Physical SecurityDesign Reviews Versus Vulnerability Assessments for Physical Security
Design Reviews Versus Vulnerability Assessments for Physical SecurityRoger Johnston
 
Carrot or stick? - How culture shapes organizational safety
Carrot or stick? - How culture shapes organizational safetyCarrot or stick? - How culture shapes organizational safety
Carrot or stick? - How culture shapes organizational safetyAnthony Raja Devadoss
 
4A Prevention SystemOverviewDefining the Overall Se.docx
4A Prevention SystemOverviewDefining the Overall Se.docx4A Prevention SystemOverviewDefining the Overall Se.docx
4A Prevention SystemOverviewDefining the Overall Se.docxgilbertkpeters11344
 
speaking-to-board-securiity-whitepaper
speaking-to-board-securiity-whitepaperspeaking-to-board-securiity-whitepaper
speaking-to-board-securiity-whitepaperBilha Diaz
 

Similar to Security Assurance (20)

Wisegate_GeekSpeak_LG
Wisegate_GeekSpeak_LGWisegate_GeekSpeak_LG
Wisegate_GeekSpeak_LG
 
Convergence of Security Risks
Convergence of Security RisksConvergence of Security Risks
Convergence of Security Risks
 
Vulnerability Assessment Myths
Vulnerability Assessment MythsVulnerability Assessment Myths
Vulnerability Assessment Myths
 
Insuring your future: Cybersecurity and the insurance industry
Insuring your future: Cybersecurity and the insurance industryInsuring your future: Cybersecurity and the insurance industry
Insuring your future: Cybersecurity and the insurance industry
 
THE UNITED STATES NAVAL WAR COLLEGE U.S. Navy.docx
THE UNITED STATES NAVAL WAR COLLEGE U.S. Navy.docxTHE UNITED STATES NAVAL WAR COLLEGE U.S. Navy.docx
THE UNITED STATES NAVAL WAR COLLEGE U.S. Navy.docx
 
answer original forum with a minimum of 500 words and respond to bot.docx
answer original forum with a minimum of 500 words and respond to bot.docxanswer original forum with a minimum of 500 words and respond to bot.docx
answer original forum with a minimum of 500 words and respond to bot.docx
 
ERM -01- Introduction 06-10-2022.pptx
ERM -01- Introduction 06-10-2022.pptxERM -01- Introduction 06-10-2022.pptx
ERM -01- Introduction 06-10-2022.pptx
 
Trust by Design: Rethinking Technology Risk
Trust by Design: Rethinking Technology RiskTrust by Design: Rethinking Technology Risk
Trust by Design: Rethinking Technology Risk
 
The Storms A Coming Risk Management
The Storms A Coming Risk ManagementThe Storms A Coming Risk Management
The Storms A Coming Risk Management
 
TRUST: DIFFERENT VIEWS, ONE GOAL
TRUST: DIFFERENT VIEWS, ONE GOALTRUST: DIFFERENT VIEWS, ONE GOAL
TRUST: DIFFERENT VIEWS, ONE GOAL
 
PECB Webinar: Aligning ISO 31000 and Management of Risk Methodology
PECB Webinar: Aligning ISO 31000 and Management of Risk MethodologyPECB Webinar: Aligning ISO 31000 and Management of Risk Methodology
PECB Webinar: Aligning ISO 31000 and Management of Risk Methodology
 
cybersecurity-series-2019-threat-hunting.pdf
cybersecurity-series-2019-threat-hunting.pdfcybersecurity-series-2019-threat-hunting.pdf
cybersecurity-series-2019-threat-hunting.pdf
 
Basic Security Concepts JMSupan 2019 Edition
Basic Security Concepts JMSupan 2019 EditionBasic Security Concepts JMSupan 2019 Edition
Basic Security Concepts JMSupan 2019 Edition
 
Improving Healthcare Risk Assessments to Maximize Security Budgets
Improving Healthcare Risk Assessments to Maximize Security BudgetsImproving Healthcare Risk Assessments to Maximize Security Budgets
Improving Healthcare Risk Assessments to Maximize Security Budgets
 
Security risk
Security riskSecurity risk
Security risk
 
Uncertainty short
Uncertainty shortUncertainty short
Uncertainty short
 
Design Reviews Versus Vulnerability Assessments for Physical Security
Design Reviews Versus Vulnerability Assessments for Physical SecurityDesign Reviews Versus Vulnerability Assessments for Physical Security
Design Reviews Versus Vulnerability Assessments for Physical Security
 
Carrot or stick? - How culture shapes organizational safety
Carrot or stick? - How culture shapes organizational safetyCarrot or stick? - How culture shapes organizational safety
Carrot or stick? - How culture shapes organizational safety
 
4A Prevention SystemOverviewDefining the Overall Se.docx
4A Prevention SystemOverviewDefining the Overall Se.docx4A Prevention SystemOverviewDefining the Overall Se.docx
4A Prevention SystemOverviewDefining the Overall Se.docx
 
speaking-to-board-securiity-whitepaper
speaking-to-board-securiity-whitepaperspeaking-to-board-securiity-whitepaper
speaking-to-board-securiity-whitepaper
 

More from Roger Johnston

In Risu Veritas: Humor & Security
In Risu Veritas: Humor & SecurityIn Risu Veritas: Humor & Security
In Risu Veritas: Humor & SecurityRoger Johnston
 
Journal of Physical Security 15(1)
Journal of Physical Security 15(1)Journal of Physical Security 15(1)
Journal of Physical Security 15(1)Roger Johnston
 
Camera Obscura and Security/Privacy
Camera Obscura and Security/PrivacyCamera Obscura and Security/Privacy
Camera Obscura and Security/PrivacyRoger Johnston
 
Vulnerability Assessment: The Missing Manual for the Missing Link
Vulnerability Assessment: The Missing Manual for the Missing Link Vulnerability Assessment: The Missing Manual for the Missing Link
Vulnerability Assessment: The Missing Manual for the Missing Link Roger Johnston
 
Journal of Physical Security 14(1)
Journal of Physical Security 14(1)Journal of Physical Security 14(1)
Journal of Physical Security 14(1)Roger Johnston
 
Journal of Physical Security 13(1)
Journal of Physical Security 13(1)Journal of Physical Security 13(1)
Journal of Physical Security 13(1)Roger Johnston
 
Election Security 2020
Election Security 2020Election Security 2020
Election Security 2020Roger Johnston
 
A New Approach to Vulnerability Assessment
A New Approach to Vulnerability AssessmentA New Approach to Vulnerability Assessment
A New Approach to Vulnerability AssessmentRoger Johnston
 
Understanding Vulnerability Assessments
Understanding Vulnerability AssessmentsUnderstanding Vulnerability Assessments
Understanding Vulnerability AssessmentsRoger Johnston
 
Devil's Dictionary of Security Terms
Devil's Dictionary of Security Terms Devil's Dictionary of Security Terms
Devil's Dictionary of Security Terms Roger Johnston
 
Vulnerability Assessments
Vulnerability Assessments Vulnerability Assessments
Vulnerability Assessments Roger Johnston
 
Journal of Physical Security 12(3)
Journal of Physical Security 12(3)Journal of Physical Security 12(3)
Journal of Physical Security 12(3)Roger Johnston
 
Journal of Physical Security 12(2)
Journal of Physical Security 12(2)Journal of Physical Security 12(2)
Journal of Physical Security 12(2)Roger Johnston
 
Unconventional Security Devices
Unconventional Security DevicesUnconventional Security Devices
Unconventional Security DevicesRoger Johnston
 
Journal of Physical Security 11(1)
Journal of Physical Security 11(1)Journal of Physical Security 11(1)
Journal of Physical Security 11(1)Roger Johnston
 
Journal of Physical Security 10(1)
Journal of Physical Security 10(1)Journal of Physical Security 10(1)
Journal of Physical Security 10(1)Roger Johnston
 
How to Remove Voter's Ink
How to Remove Voter's Ink How to Remove Voter's Ink
How to Remove Voter's Ink Roger Johnston
 
Common Security Reasoning Errors
Common Security Reasoning ErrorsCommon Security Reasoning Errors
Common Security Reasoning ErrorsRoger Johnston
 

More from Roger Johnston (20)

In Risu Veritas: Humor & Security
In Risu Veritas: Humor & SecurityIn Risu Veritas: Humor & Security
In Risu Veritas: Humor & Security
 
Journal of Physical Security 15(1)
Journal of Physical Security 15(1)Journal of Physical Security 15(1)
Journal of Physical Security 15(1)
 
Security Audits.pdf
Security Audits.pdfSecurity Audits.pdf
Security Audits.pdf
 
Camera Obscura and Security/Privacy
Camera Obscura and Security/PrivacyCamera Obscura and Security/Privacy
Camera Obscura and Security/Privacy
 
Vulnerability Assessment: The Missing Manual for the Missing Link
Vulnerability Assessment: The Missing Manual for the Missing Link Vulnerability Assessment: The Missing Manual for the Missing Link
Vulnerability Assessment: The Missing Manual for the Missing Link
 
Journal of Physical Security 14(1)
Journal of Physical Security 14(1)Journal of Physical Security 14(1)
Journal of Physical Security 14(1)
 
Want seals with that?
Want seals with that?Want seals with that?
Want seals with that?
 
Journal of Physical Security 13(1)
Journal of Physical Security 13(1)Journal of Physical Security 13(1)
Journal of Physical Security 13(1)
 
Election Security 2020
Election Security 2020Election Security 2020
Election Security 2020
 
A New Approach to Vulnerability Assessment
A New Approach to Vulnerability AssessmentA New Approach to Vulnerability Assessment
A New Approach to Vulnerability Assessment
 
Understanding Vulnerability Assessments
Understanding Vulnerability AssessmentsUnderstanding Vulnerability Assessments
Understanding Vulnerability Assessments
 
Devil's Dictionary of Security Terms
Devil's Dictionary of Security Terms Devil's Dictionary of Security Terms
Devil's Dictionary of Security Terms
 
Vulnerability Assessments
Vulnerability Assessments Vulnerability Assessments
Vulnerability Assessments
 
Journal of Physical Security 12(3)
Journal of Physical Security 12(3)Journal of Physical Security 12(3)
Journal of Physical Security 12(3)
 
Journal of Physical Security 12(2)
Journal of Physical Security 12(2)Journal of Physical Security 12(2)
Journal of Physical Security 12(2)
 
Unconventional Security Devices
Unconventional Security DevicesUnconventional Security Devices
Unconventional Security Devices
 
Journal of Physical Security 11(1)
Journal of Physical Security 11(1)Journal of Physical Security 11(1)
Journal of Physical Security 11(1)
 
Journal of Physical Security 10(1)
Journal of Physical Security 10(1)Journal of Physical Security 10(1)
Journal of Physical Security 10(1)
 
How to Remove Voter's Ink
How to Remove Voter's Ink How to Remove Voter's Ink
How to Remove Voter's Ink
 
Common Security Reasoning Errors
Common Security Reasoning ErrorsCommon Security Reasoning Errors
Common Security Reasoning Errors
 

Recently uploaded

Greater Noida Call Girls 9711199012 WhatsApp No 24x7 Vip Escorts in Greater N...
Greater Noida Call Girls 9711199012 WhatsApp No 24x7 Vip Escorts in Greater N...Greater Noida Call Girls 9711199012 WhatsApp No 24x7 Vip Escorts in Greater N...
Greater Noida Call Girls 9711199012 WhatsApp No 24x7 Vip Escorts in Greater N...ankitnayak356677
 
2024: The FAR, Federal Acquisition Regulations - Part 27
2024: The FAR, Federal Acquisition Regulations - Part 272024: The FAR, Federal Acquisition Regulations - Part 27
2024: The FAR, Federal Acquisition Regulations - Part 27JSchaus & Associates
 
VIP Call Girls Service Bikaner Aishwarya 8250192130 Independent Escort Servic...
VIP Call Girls Service Bikaner Aishwarya 8250192130 Independent Escort Servic...VIP Call Girls Service Bikaner Aishwarya 8250192130 Independent Escort Servic...
VIP Call Girls Service Bikaner Aishwarya 8250192130 Independent Escort Servic...Suhani Kapoor
 
##9711199012 Call Girls Delhi Rs-5000 UpTo 10 K Hauz Khas Whats Up Number
##9711199012 Call Girls Delhi Rs-5000 UpTo 10 K Hauz Khas Whats Up Number##9711199012 Call Girls Delhi Rs-5000 UpTo 10 K Hauz Khas Whats Up Number
##9711199012 Call Girls Delhi Rs-5000 UpTo 10 K Hauz Khas Whats Up NumberMs Riya
 
13875446-Ballistic Missile Trajectories.ppt
13875446-Ballistic Missile Trajectories.ppt13875446-Ballistic Missile Trajectories.ppt
13875446-Ballistic Missile Trajectories.pptsilvialandin2
 
Precarious profits? Why firms use insecure contracts, and what would change t...
Precarious profits? Why firms use insecure contracts, and what would change t...Precarious profits? Why firms use insecure contracts, and what would change t...
Precarious profits? Why firms use insecure contracts, and what would change t...ResolutionFoundation
 
Powering Britain: Can we decarbonise electricity without disadvantaging poore...
Powering Britain: Can we decarbonise electricity without disadvantaging poore...Powering Britain: Can we decarbonise electricity without disadvantaging poore...
Powering Britain: Can we decarbonise electricity without disadvantaging poore...ResolutionFoundation
 
VIP High Profile Call Girls Gorakhpur Aarushi 8250192130 Independent Escort S...
VIP High Profile Call Girls Gorakhpur Aarushi 8250192130 Independent Escort S...VIP High Profile Call Girls Gorakhpur Aarushi 8250192130 Independent Escort S...
VIP High Profile Call Girls Gorakhpur Aarushi 8250192130 Independent Escort S...Suhani Kapoor
 
Jewish Efforts to Influence American Immigration Policy in the Years Before t...
Jewish Efforts to Influence American Immigration Policy in the Years Before t...Jewish Efforts to Influence American Immigration Policy in the Years Before t...
Jewish Efforts to Influence American Immigration Policy in the Years Before t...yalehistoricalreview
 
No.1 Call Girls in Basavanagudi ! 7001305949 ₹2999 Only and Free Hotel Delive...
No.1 Call Girls in Basavanagudi ! 7001305949 ₹2999 Only and Free Hotel Delive...No.1 Call Girls in Basavanagudi ! 7001305949 ₹2999 Only and Free Hotel Delive...
No.1 Call Girls in Basavanagudi ! 7001305949 ₹2999 Only and Free Hotel Delive...narwatsonia7
 
DNV publication: China Energy Transition Outlook 2024
DNV publication: China Energy Transition Outlook 2024DNV publication: China Energy Transition Outlook 2024
DNV publication: China Energy Transition Outlook 2024Energy for One World
 
Vip Vaishali Escorts Service Call -> 9999965857 Available 24x7 ^ Call Girls G...
Vip Vaishali Escorts Service Call -> 9999965857 Available 24x7 ^ Call Girls G...Vip Vaishali Escorts Service Call -> 9999965857 Available 24x7 ^ Call Girls G...
Vip Vaishali Escorts Service Call -> 9999965857 Available 24x7 ^ Call Girls G...ankitnayak356677
 
Call Girls Service Race Course Road Just Call 7001305949 Enjoy College Girls ...
Call Girls Service Race Course Road Just Call 7001305949 Enjoy College Girls ...Call Girls Service Race Course Road Just Call 7001305949 Enjoy College Girls ...
Call Girls Service Race Course Road Just Call 7001305949 Enjoy College Girls ...narwatsonia7
 
Action Toolkit - Earth Day 2024 - April 22nd.
Action Toolkit - Earth Day 2024 - April 22nd.Action Toolkit - Earth Day 2024 - April 22nd.
Action Toolkit - Earth Day 2024 - April 22nd.Christina Parmionova
 
Call Girls Bangalore Saanvi 7001305949 Independent Escort Service Bangalore
Call Girls Bangalore Saanvi 7001305949 Independent Escort Service BangaloreCall Girls Bangalore Saanvi 7001305949 Independent Escort Service Bangalore
Call Girls Bangalore Saanvi 7001305949 Independent Escort Service Bangalorenarwatsonia7
 
High Class Call Girls Bangalore Komal 7001305949 Independent Escort Service B...
High Class Call Girls Bangalore Komal 7001305949 Independent Escort Service B...High Class Call Girls Bangalore Komal 7001305949 Independent Escort Service B...
High Class Call Girls Bangalore Komal 7001305949 Independent Escort Service B...narwatsonia7
 
YHR Fall 2023 Issue (Joseph Manning Interview) (2).pdf
YHR Fall 2023 Issue (Joseph Manning Interview) (2).pdfYHR Fall 2023 Issue (Joseph Manning Interview) (2).pdf
YHR Fall 2023 Issue (Joseph Manning Interview) (2).pdfyalehistoricalreview
 

Recently uploaded (20)

Greater Noida Call Girls 9711199012 WhatsApp No 24x7 Vip Escorts in Greater N...
Greater Noida Call Girls 9711199012 WhatsApp No 24x7 Vip Escorts in Greater N...Greater Noida Call Girls 9711199012 WhatsApp No 24x7 Vip Escorts in Greater N...
Greater Noida Call Girls 9711199012 WhatsApp No 24x7 Vip Escorts in Greater N...
 
2024: The FAR, Federal Acquisition Regulations - Part 27
2024: The FAR, Federal Acquisition Regulations - Part 272024: The FAR, Federal Acquisition Regulations - Part 27
2024: The FAR, Federal Acquisition Regulations - Part 27
 
VIP Call Girls Service Bikaner Aishwarya 8250192130 Independent Escort Servic...
VIP Call Girls Service Bikaner Aishwarya 8250192130 Independent Escort Servic...VIP Call Girls Service Bikaner Aishwarya 8250192130 Independent Escort Servic...
VIP Call Girls Service Bikaner Aishwarya 8250192130 Independent Escort Servic...
 
##9711199012 Call Girls Delhi Rs-5000 UpTo 10 K Hauz Khas Whats Up Number
##9711199012 Call Girls Delhi Rs-5000 UpTo 10 K Hauz Khas Whats Up Number##9711199012 Call Girls Delhi Rs-5000 UpTo 10 K Hauz Khas Whats Up Number
##9711199012 Call Girls Delhi Rs-5000 UpTo 10 K Hauz Khas Whats Up Number
 
13875446-Ballistic Missile Trajectories.ppt
13875446-Ballistic Missile Trajectories.ppt13875446-Ballistic Missile Trajectories.ppt
13875446-Ballistic Missile Trajectories.ppt
 
Precarious profits? Why firms use insecure contracts, and what would change t...
Precarious profits? Why firms use insecure contracts, and what would change t...Precarious profits? Why firms use insecure contracts, and what would change t...
Precarious profits? Why firms use insecure contracts, and what would change t...
 
Powering Britain: Can we decarbonise electricity without disadvantaging poore...
Powering Britain: Can we decarbonise electricity without disadvantaging poore...Powering Britain: Can we decarbonise electricity without disadvantaging poore...
Powering Britain: Can we decarbonise electricity without disadvantaging poore...
 
Model Town (Delhi) 9953330565 Escorts, Call Girls Services
Model Town (Delhi) 9953330565 Escorts, Call Girls ServicesModel Town (Delhi) 9953330565 Escorts, Call Girls Services
Model Town (Delhi) 9953330565 Escorts, Call Girls Services
 
VIP High Profile Call Girls Gorakhpur Aarushi 8250192130 Independent Escort S...
VIP High Profile Call Girls Gorakhpur Aarushi 8250192130 Independent Escort S...VIP High Profile Call Girls Gorakhpur Aarushi 8250192130 Independent Escort S...
VIP High Profile Call Girls Gorakhpur Aarushi 8250192130 Independent Escort S...
 
Jewish Efforts to Influence American Immigration Policy in the Years Before t...
Jewish Efforts to Influence American Immigration Policy in the Years Before t...Jewish Efforts to Influence American Immigration Policy in the Years Before t...
Jewish Efforts to Influence American Immigration Policy in the Years Before t...
 
No.1 Call Girls in Basavanagudi ! 7001305949 ₹2999 Only and Free Hotel Delive...
No.1 Call Girls in Basavanagudi ! 7001305949 ₹2999 Only and Free Hotel Delive...No.1 Call Girls in Basavanagudi ! 7001305949 ₹2999 Only and Free Hotel Delive...
No.1 Call Girls in Basavanagudi ! 7001305949 ₹2999 Only and Free Hotel Delive...
 
DNV publication: China Energy Transition Outlook 2024
DNV publication: China Energy Transition Outlook 2024DNV publication: China Energy Transition Outlook 2024
DNV publication: China Energy Transition Outlook 2024
 
Vip Vaishali Escorts Service Call -> 9999965857 Available 24x7 ^ Call Girls G...
Vip Vaishali Escorts Service Call -> 9999965857 Available 24x7 ^ Call Girls G...Vip Vaishali Escorts Service Call -> 9999965857 Available 24x7 ^ Call Girls G...
Vip Vaishali Escorts Service Call -> 9999965857 Available 24x7 ^ Call Girls G...
 
Call Girls In Rohini ꧁❤ 🔝 9953056974🔝❤꧂ Escort ServiCe
Call Girls In Rohini ꧁❤ 🔝 9953056974🔝❤꧂ Escort ServiCeCall Girls In Rohini ꧁❤ 🔝 9953056974🔝❤꧂ Escort ServiCe
Call Girls In Rohini ꧁❤ 🔝 9953056974🔝❤꧂ Escort ServiCe
 
9953330565 Low Rate Call Girls In Adarsh Nagar Delhi NCR
9953330565 Low Rate Call Girls In Adarsh Nagar Delhi NCR9953330565 Low Rate Call Girls In Adarsh Nagar Delhi NCR
9953330565 Low Rate Call Girls In Adarsh Nagar Delhi NCR
 
Call Girls Service Race Course Road Just Call 7001305949 Enjoy College Girls ...
Call Girls Service Race Course Road Just Call 7001305949 Enjoy College Girls ...Call Girls Service Race Course Road Just Call 7001305949 Enjoy College Girls ...
Call Girls Service Race Course Road Just Call 7001305949 Enjoy College Girls ...
 
Action Toolkit - Earth Day 2024 - April 22nd.
Action Toolkit - Earth Day 2024 - April 22nd.Action Toolkit - Earth Day 2024 - April 22nd.
Action Toolkit - Earth Day 2024 - April 22nd.
 
Call Girls Bangalore Saanvi 7001305949 Independent Escort Service Bangalore
Call Girls Bangalore Saanvi 7001305949 Independent Escort Service BangaloreCall Girls Bangalore Saanvi 7001305949 Independent Escort Service Bangalore
Call Girls Bangalore Saanvi 7001305949 Independent Escort Service Bangalore
 
High Class Call Girls Bangalore Komal 7001305949 Independent Escort Service B...
High Class Call Girls Bangalore Komal 7001305949 Independent Escort Service B...High Class Call Girls Bangalore Komal 7001305949 Independent Escort Service B...
High Class Call Girls Bangalore Komal 7001305949 Independent Escort Service B...
 
YHR Fall 2023 Issue (Joseph Manning Interview) (2).pdf
YHR Fall 2023 Issue (Joseph Manning Interview) (2).pdfYHR Fall 2023 Issue (Joseph Manning Interview) (2).pdf
YHR Fall 2023 Issue (Joseph Manning Interview) (2).pdf
 

Security Assurance

  • 1. Journal of Physical Security 13(1), 2-4 (2020) 2 Viewpoint Paper Security Assurance* Roger G. Johnston, Ph.D., CPP http://rbsekurity.com If you lookfor truth, you may find comfortin the end; if you lookfor comfortyouwill get neither truth nor comfort…only softsoap and wishful thinking to begin, and in the end, despair. -- C.S. Lewis (1898-1963) Security Assurance is gaining confidence that our security has a good probability of handling the threats we face, and that we are not wasting money in doing so. I would argue that Security Assurance is something that often must be provided to stake- holders (including taxpayers) and the organization’s leadership, but should not be part of a security program or security strategy per se. Confidence in security is always over-confidence, if not arrogance and complacency. I don’t want security managers and others who provide security to be assured; I want them to be sweating bullets. That is simply the dismal nature of Security. The old adage has it right: “If you are happy with your security, so are the bad guys.” Security managers and security programs should seek to optimize their security through prudent Risk Management, but they should not seek dubious comfort from bogus confirmation that everything is swell. Do a good job with the Risk Management on a continuing basis, and you have done all you can do to have good security. Forget about the assurance part. Good Risk Management requires, among other things, data inputs from Vulnerability Assessments (which are often missing [1]); Threat Assessments; and Risk Assessments; along with information about the organization’s budget, resources, and appetite for risk; the assets needing protection; and the possible long- and short-term consequences of security failures. Good Risk Management also requires sound judgement, prescience, an ability to balance tradeoffs, prudent value judgements, objective and quantitative analysis, subjective and qualitative analysis, and the ability to leverage hunches and sound intuition. I personally believe it should also include something like Marginal Analysis [1]. ________ *This paper was not peer reviewed.
  • 2. Journal of Physical Security 13(1), 2-4 (2020) 3 Now it must be said that the need to provide “assurance” to stakeholders and organizational leaders is largely unavoidable. This is, however, more about marketing/fund-raising, public relations, educating stakeholders about security issues, and making return-on-investment (ROI) arguments than it is about security per se. Certainly the stakeholders (being security amateurs) can be provided with a simplified discussion of the Risk Management that has been under- taken, and why certain decisions were made based on recognized threats, vulnerabilities, attack scenarios, and possible consequences of attacks. High-level executives can be warned about what happened to other organizations and their executives when the organizations were attacked and lacked adequate security measures. Two caveats here, however. Firstly, ROI—arguing that security expenditure returns value— has proven to be very ineffective. High-level corporate and government executives are often highly unimaginative, or else quite willing to live with substantial security risk for the few years they have left before retiring, being fired, or moving to a more prestigious position elsewhere. The odds are that the bad security incidents being envisioned won’t happen on their watch. Even if they do, there are plenty of scapegoats that can be named, including the CSO, CISO, and lower-level people. Better to increase corporate profitability, the executives may reason, at least from the standpoint of their personal interests and reputation. The second caveat is that scaring executives about bad consequences of potential security failures or actual failures that happened elsewhere can work, but crying wolf too many times undercuts its effectiveness. One thing that is crystal-clear about Security Assurance is that it must never be based on the results of Vulnerability Assessments (VAs). If it is, there will be enormous pressure (conscious and unconscious) to not find vulnerabilities in order to gain a false sense of security. This will result in both bad VAs and bad security. For similar reasons, security testing must never be used for Security Assurance. (Note that Security Testing is NOT the same thing as Vulnerability Assessments.[1]). We learn the most from Security Tests when we fail them, but if they are the source of confidence in our security, the tests will most likely no longer be made relevant or challenging. Moreover, we can’t really test what we have not envisioned—thus the need for imaginative, proactive VAs where we think like the bad guys. Testing also has other serious limitations such as the difficulty of making the tests realistic, and the fact that testing can look at only a small fraction of the possible vulnerabilities, attack scenarios, and countermeasures that an imaginative VA can uncover. In my view, Security Testing should mostly be for practice and to keep front-line security personnel entertained and engaged. Tests can help us somewhat understand our vulnerabilities, but they are not nearly as effective at this as a good Vulnerability Assessment.
  • 3. Journal of Physical Security 13(1), 2-4 (2020) 4 In summary, I think we need to worry less about Security Assurance and do a better job with Risk Management, including doing more and better Vulnerability Assessments. We also need to avoid confusing VAs with other techniques that are not as good at uncovering vulnerabilities, attacks scenarios, and possible countermeasures. References 1. RG Johnston, Vulnerability Assessment: The Missing Manual for the Missing Link, https://www.amazon.com/dp/B08C9D73Z9