Almost 70 years since the first computer bug was discovered, there has been decades of research done on Information Security theory and practice. Yet, despite vast amounts of money being spent, innumerable academic papers, mainstream media obsession, and entire industries being formed, we are left with the impression that the risk is growing, not receding. Why? Some argue a lack of data, but data clearly exists. We're likely generating it, in some areas, faster than humans will ever be able to process it. Perhaps, after all of this effort, we've managed to box ourselves into metaphors and first principles that might be inappropriately constraining how we think about "Information Security Risk". In fact, it's worth noting that we can't even agree if there is a space between "Cyber" and "Security" when it's written out. This talk will take an anecdotal look at "Information Security Risk", "Cyber<>Security", and use that perspective to suggest areas of research and data gathering that are either lacking or should be made more accessible to the markets, industries, and individuals driving risk management change. In an industry filled with data, perhaps an examination of empty space might be helpful.

1. Jack Whitsitt, EnergySec Senior Strategist
@sintixerr | sintixerr@gmail.com

2. Progress in economics consists almost entirely in a progressive
improvement in the choice of models….
[It] is a science of thinking in terms of models joined to the art of choosing
models which are relevant to the contemporary world…
[and] it is essentially a moral science and not a natural science…
That is to say, it employs introspection and judgments of value.
– J. M. Keynes to Harrod , 4 July 1938 (Sorta)

3.  Artist
 Hacker Compound
 Open Source (Honeypots)
 Managed Commercial Security
 FBI SOC
 Enterprise Security Architect
 National Control Systems Incident Response
 Gov: Public/Private Partnership as the Transportation SSA
 Non-Profit Community Building
 International Policy Discussions
….and Civilization Escape Artist

4. We’re Losing, We’re Repeating Ourselves with
Increasing Specialization, We Have No Strategy
We must learn to Fail, Iterate, and Evolve (better?) or
Admit We’re Insane

5. We have been focusing on improving information security and risk management practices to
reduce cybersecurity risk.
This focus has improved information security practices, but without meaningfully or sustainable
reducing cybersecurity risk
This has come at the cost of the resources we will require to displace the dangerously entrenched
behavior and misaligned markets created as an outcome of this focus.
Our focus on information security solution spaces prevents us from making necessary
transformative (as opposed to incremental) improvements because:
Information Security might, presently, be largely tangential and non-causal with regard to long
term cybersecurity success –
Its practices and solution spaces do not control or speak to enough of the exposure environment to
create sustained, strategic improvements in position
We need to take a wider view.
(Warning: The view may contradict itself and this will be a linear presentation of a non-linear topic)

7.  Island Internet
 Isolated Security Events
 Techies without funding or buy-in develop practices
 Automated Worms Disrupt Business
 Market need identified and met by selling practices
 Connected Important Stuff
 Merging Realities, Conflict and All
 Entrenched Models and Practices failing to solve for New Reality and New Scope
We started out specialized and then specialized further despite context and problem
space expansion and we’ve failed to improve and update models or develop
appropriate, specific objectives accounting for our environment*
Now we’re missing important fundamentals in scope, metaphor, language, and
strategies and are battling existing investment to fix
(*or, at least, we’ve failed to create effective socialization mechanisms for them)

9. Help overcome the flawed strategies we’ve imposed
on ourselves by artificially limiting the scope of
cybersecurity to InfoSec
Suggest areas of research and data gathering that are
either lacking or should be made more accessible to
the markets, industries, and individuals driving risk
management change.

10.  Some Famous President Or General (I think):
 “There is no seemingly intractable problem I’ve faced whose
solution didn’t present itself with an increase of scope”-ish
 Famous Penetration Testers:
 The companies that eventually keep us from achieving our
objectives are the ones that narrowed the scope of their
objectives and funded them
 Start wide, then focus:
 Where are we?
 What are we, really?
 How do we get OUT of here?

16.  The world already has a lot of cybersecurity “solutions” and “products”
 The average information security budget according to
PricewaterhouseCoopers is a staggering $4.1 million
 According to Gartner, the worldwide Information Security market is valued
at more than $70 billion.
And, yet…
 The list to your right contains many, but not all, major Fortune 500 breaches
since 2011
 These are not companies that cannot afford cybersecurity
 Most organizations are notified by external parties (“Cyber Healthcare
Professionals” re yesterday’s post-lunch talk) 100’s of days after breach
 Cybersecurity is a hard problem that clearly – by any public metric available
- remains unsolved in any sustainable way
97% of networks have been breached
(FireEye)

18.  Of Solutions
 At the Wrong Level
 Without being Able to Articulate the Problem
 NISTCSF
 Common Practices
 List of things that aren’t sufficient
 Cybersec EU, Poland, 2015
 Talking Information Sharing at Highest International levels
 Conducting, not winning conflict
 Same solution spaces provided over and over again
 Specificity intersecting with applicability and repeatability
extraordinarily difficult
 This has to stop

20. We do not have a consensus definition “Cybersecurity”
 Neither the problem space nor the discipline
 We can’t even decide if there is a <space> between Cyber
and Security
 Ask any 5 experts, get 5+ answers
Speaking of experts…..

21.  System Administrators
 Malware Analysts`
 Incident Responders
 Lawyers
 CISOs
 Procurement Officials
 Chairmen of the Senate
Whatever Committee
 Heads of the NSA
 Senior Sales Engineers for
Security Companies
 Hackers
 Children
• CEO/Executive Board
Members
• Criminals/Terrorists
• Journalists
• Developers
• Activists
• Evolutionary Ecology PhD’s
• Diplomats
• Control Systems Engineers
• Regulators and Auditors
• Emergency Managers
• Citizens
• Operations Staff
• Firewall Engineers

22. Cybersecurity is a huge domain that spans entire
cultures, industries, and nations while remaining highly
individualized
As a discipline, it is an amalgamation of existing as
disparate as business management, computer science,
political science, and even art.
This means we have to always be cognizant of context.

23. http://www.tripwire.com/state-of-security/latest-security-news/vast-majority-maintaining-increasing-cyber-security-spending/

24. (Source: http://www.commerce.senate.gov/public/?a=Files.Serve&File_id=24d3c229-4f2f-405d-b8db-a3a67f183883 via Lockheed Martin)

25. Source: https://isc.sans.edu/diaryimages/a207889185ca6b4ccbf43d94e017a663

27. Prosecute & Convict? Defend? Listen? Convince?

34.  Cybersecurity MUST be Lensed
 Because it is a human problem
 And Human Problems are Communication Problems
 Lenses can provide the human-specific focus required for
communication
 Communication lenses are composed of:
 Domain: Broad Problem Space Definition
 Perspectives: Who is Involved?
 Contexts: Which problem piece is in front of us?
 Discipline Areas: What tools are available?
*These are my definitions only

35. Cybersecurity: The application of several disciplines to
enabling an environment in which specific non-ICT based
objectives are sustainably achievable with the aid of
Information Security, Control Systems Security, and Other
Related Security Practices in the face of continuous risk
resulting from the use of cyber systems.
Secure system: One that does no more or less than we want
it to for the amount of effort and resources we’re willing to
invest in it.

36. Those definitions still don’t describe a
problem to be solved, they describe
solution sets and objectives.

37. This is a Domain we can ask specific questions of and turn into lenses…

39. If InfoSec is an error handler for the overall cybersecurity risk
environment, then we’ve let the main system go at the expense of
the error handler.
For the Error Handler to be the source of stability, it would have to
have all or most main system knowledge.
So what does the problem space really look like OUTSIDE of
InfoSec? Outside of the Error Handler?
Managing the following extra-InfoSec domains is a precondition to
or a part of effective information risk management

41. 1. Global
2. Body Political
3. Organizational
4. Individual
 Technical … This might be a business problem pertaining
to complexity?
(In Order. List Likely Not Complete. Threat Exclusion Intentional.)

42.  Offense/Defense
 Individuals and Businesses are NOT defenders
 Asking them to participate in global conflict is, in a word, silly
 They do not, and will not, have competence or capacity over time
 18,500 US Firms with over 500 employees!
 Parasite Management
 Maintain value Control despite competition for shared, not owned infrastructure
 Sustained Resilience: Continuity of Operations, DR
 Exposure Management vs Incident Management
 Exposure/Environment Management OR ELSE
 Information Security is non-causal in Exposure Management
 Lack of Exposure Management is an eventual permanent loss
 Incidents do not aggregate up to long term risk
 The Primary Conflict Model is that of a Siege
 Non-combatants not in control of surrounding environment being drained of resources forced to make
daily risk decisions that are not pertinent to eventual win
 This is true whether or not different threat groups *intend* to put us under siege
 Strategic win is possible, not possible under other models
 Accounts for resource drainage, supply chain problems, massive externalities problem, etc
 Breaking the siege requires building *a* castle (cooperative strategic infrastructure) and*multiple*
guilds (regimes)

43.  Confidence Building Measures & Stability Problems
 Unknown Exposure: Game Theory vs Control Based Regulation
 Too many actors
 Tools too accessible
 Norms of Behavior
 Some norms support both conflict and stability
 Difficulty developing norms in the middle of conflict
 Information vs Kinetic Warfare
 Intentional Abuse of Conflict Culture & Definitions
 Targeting of formal/informal “civilian” information and regimes
 Western governance has long term strategic vulnerabilities
 Capacity Building
 vs Conflict Execution (Retains almost Exclusive Focus)
 vs Exposure Management (Done only to aid Conflict)
 Same as InfoSec, but larger
Also Helps Drive (& Provide Cover for) Localized Civilian Parasite/Siege Conflict Context

44.  Overall rising hostility under the radar
 Sustained non-ICT Regime Instability
 Costs in money, trust, unconstrained resilience
requirements
 Unintended Specific Fallout from General Instability
 Systems not functioning as desired in emergencies
 High Intensity Conflict resulting from unrelated events

45.  Business Borders: Disappearing?
 Is it more useful to constrain cybersecurity around
business borders or supply (and value) chains?
 If the latter, is that even possible?
 This is only one of several boundary problems)
 Un-constrainable? Mesh vs Chains
 Since these aren’t really chains, does this become a
statistical problem?
 Supply chain as a mechanism for risk reduction?

46.  Geography & Power Delegation
 The internet is a form of “geography”
 Power Plants are part of the internet,
therefore they are geography
 They’re also targets
 The government is *not* the primary arbiter
of power within the borders of this virtual
geography
 Ooops. This is new.
 Geography & Proximity
 Everyone is a Neighbor
 Have you ever been stuffed shoulder to
shoulder in a hot train car with drunk
friends, enemies, and strangers?
 Ooops. This is new, or at least worse.

47.  Common Problem Space Consensus
 Development
 Socialization
 Multi-stakeholder Model/Regime Management
 Targeting & Engagement
 Aligned, Unaligned, Oppositional Stakeholders
 Development
 Goal Targeting and Rationalization
 Language normalization
 Practice Development
 As opposed to Stabilization
 Tragedy of the Commons
 Without Ownership of Practices, Infrastructure,
or Goals
 RealPolitik

48.  Power
 2nd Amendment and the Right to Bear Digital Arms
 Responsibilities
 Voting Knowledgeably
 Participation in Multi-Stakeholder Regimes
 Education
 Access
 Rights of Individual Access vs Rights of Society
 Business & Government Customers
 Voting, Markets, and Courts intended as arbiters,
but…
 Social
 Perception & Expectation Management
 Media!
 Health & Safety

49.  Entrenched Industry Must be Derailed
 Costing us time, money, cultural capital
 Hijacking regimes
 Abstract, tenuous connection to risk
 Hope, hope, hope, hope
 (Vendor vs Hacker)
 Academia not competing
 Tools
 Behavior Change
 Applicability

50. “The difference between how it’s supposed
to work and how it really works is where
the vulnerabilities happen,” - Chris
Wysopal/Weld Pond (L0pht)
 Complexity
 Exposure rising directly and infinitely
with complexity
 Competency
 Technical competency required by all,
who cannot maintain
 Security Express-ability
 Lower layers are approximating upper
layer expressions

51.  Exposure Management
 Decision Making Capacity Building
 Action Capacity (Authority/Responsibility)
 Full System (Human) Threat Modeling
 Requires Role/Lever reasoning
 Fuzzy (but it’s done all the time anyway)
Anyone can make a good plan, and one that works, but can it be kept tight
enough to achieve goals in the face of constant, organized, trained, funded,
motivated, threats?

52.  We Need Generals
 Now Guys with Guns Espousing Tactical
Requirements in Place of Strategies to
Win
 Win = Desired level of risk for desired
investment over tim
 Formal Roles limit Routing of
Knowledge/Capability into available
levers
 If you’re not selling something, you’re not
participating

53.  Sustained Socialization
 Meme-ification - Passive Education
 Active Education
 Clarity across Discipline Borders
 Common Language
 Knowledge
 Language & terminology
 Organic
 Hijacked
 Perspective & Context Awareness
 Trouble Seeing the Big Picture for the Small
 Validation & Action

54.  Psychology
 Stakeholders Receptiveness
 Distance between action and risk
 Conceptual Processing
 Ability to Process sufficient incoming
knowledge tangential to core life
 Analysts vs Engineers
 Average is Average
 Cannot require or assume exceptionalism

55.  Wok
 Wok Wok
 Wok?
 W.O.K.
 Wok Wok wok wok
This is, obviously, a wildly incomplete framework.
But it is a start?

57.  Exposure is primarily created outside of InfoSec (although not “only”)
 Informing InfoSec Practices with Business Goals instead of vice versa removes levers
 InfoSec practices should INFORM and CONTEXTUALIZE business risk practices INTO cyber
risk CONTROLS
 Cyber isn’t a risk TO you in most cases;
 The risk from cyber to society, industry, and gov CREATES risks to you (Polish Airlines)
 Risk management’s job is not limited to a process or approach or framework.
 It is, instead, behavioral and decision making capacity building
 Awareness is not behavior change
 Psych, Marketing, Comms
 Target: “Risk Based” often conflated with “Have a Priority” in common practice
 Difficult to quantify security management non-security benefits because security
management is typically focused on improving security management – even when
contextualized by business.
 We can perhaps, instead, quantify benefits of non-security activities that benefit security by
leveraging dual purpose activities

59.  Expand
 Clarify
 Communicate
 Maintain
 Use
 Market
 Criticize
 Trash it and Start Over if Needed
 We still need one
 Let’s just stop repeating ourselves

60.  Goal Development:
 Siege Breaking and Parasitic Environment Management (next slide)
 Roles to Risk Modeling to…
 Create Exposure Management Strategies
 Aid Targeted Education for Risk Decisions in Role Context
 Mitigate Tech/Process Controls
 A Non-Sec Initiative
 Integrate Disparate Disciplines into a Cybersecurity Discipline
 Business Risk Managers/CFO’s/Psychs/OrgProcess/Marketers/Sociologists
against InfoSec…
 Socialize QA as applied to Cyber Exposure Creation
 This should exist, but perhaps unapplied
 Citizens as a DHS Critical Infrastructure Sector
 Contextualize abstract risks in existing process
 Identify Psychological Motivation Profiles for Targeted Behavior Change
 Business Levers that affect security with the most non-security ROI.

61. Develop cross-environment joint actor strategies to more
effectively and sustainably compete for the ability to
provide value smack in the middle of a constant conflict
that cannot be won against players we may or may not be
able to see, know, or influence and whose values and
goals may be in support of yours, oppositional to yours,
or tangential to yours while, over time ,gradually de-
incentivizing the use of cyberspace as a conflict domain.

62.  Think Beyond InfoSec
 Broaden Scope Out As Far As You Can Go
 Re-Consider your Metaphors and Models from the Ground Up
 If Only as a Thought Exercise
 Ask how to manage risk without InfoSec
 Then build an error handler
 Wonder at why we are where we are
 And treat common practices as solving an insufficiently complete
list of problems

63. Jack Whitsitt, EnergySec Senior Strategist
@sintixerr | sintixerr@gmail.com