Alexander Hutton, profile picture
Uploaded byAlexander Hutton
PDF, PPTX394 views

Hutton B Side Sf

1) Current risk management approaches are problematic because they are either too notional and abstract or too focused on tangible metrics. 2) A new evidence-based approach is proposed that uses incident data frameworks to extract metrics that can be used to build models of threats, impacts, and management capabilities. 3) By analyzing patterns in incident data, more accurate assessments of risk can be made based on an organization's unique loss landscape, threat landscape, controls landscape, and how these change over time. This moves risk management from superstition to a measurable science.

Embed presentation

Download as PDF, PPTX
Risk Management Time to blow it up and start over? @alexhutton
Met E.T. Jaynes probability theory, the logic of science
Kuhn’s Protoscience A stage in the development of a science that is described by: • somewhat random fact gathering (mainly of readily accessible data) • a “morass” of interesting, trivial, irrelevant observations • A variety of theories (that are spawned from what he calls philosophical speculation) that provide little guidance to data gathering
only the wisest and stupidest of men never change Confucius
Destroy GRC Musings of a Risk Management Deconstructivist
A feeling of diss-connect between GRC and Security
let’s talk governance
governance, without metrics & models, is superstition governance, with metrics & models, describes capability to manage risk
Why does what you execute on and how you execute matter?
governance, without metrics & models, is superstition governance, with metrics & models, describes capability to manage risk measurably good governance practices (can/will) reduce risk measurably good governance is simply a description of capability to manage risk
not sucking eggs at security is a good idea
compliance*, without metrics, is superstition compliance*, with metrics, is risk management *(regulatory)
But “GRC” Risk Management Find issue, call issue bad, fix issue, hope you don’t find it again...
What is risk?
a. Risk is notional b. Risk is tangible
Problems with “tangible” - complex systems, complexity science - usefulness outside of the very specific - measurements - lots of belief statements
How Complex Systems Fail (Being a Short Treatise on the Nature of Failure; How Failure is Evaluated; How Failure is Attributed to Proximate Cause; and the Resulting New Understanding of Patient Safety) Richard I. Cook, MD Cognitive technologies Laboratory University of Chicago http://www.ctlab.org/documents/How %20Complex%20Systems %20Fail.pdf
Catastrophe requires multiple failures single point failures are not enough.. The array of defenses works. System operations are generally successful. Overt catastrophic failure occurs when small, apparently innocuous failures join to create opportunity for a systemic accident. Each of these small failures is necessary to cause catastrophe but only the combination is sufficient to permit failure. Put another way, there are many more failure opportunities than overt system accidents. Most initial failure trajectories are blocked by designed system safety components. Trajectories that reach the operational level are mostly blocked, usually by practitioners. Complex systems contain changing mixtures of failures latent within them. The complexity of these systems makes it impossible for them to run without multiple flaws being present. Because these are individually insufficient to cause failure they are regarded as minor factors during operations. Eradication of all latent failures is limited primarily by economic cost but also because it is difficult before the fact to see how such failures might contribute to an accident. The failures change constantly because of changing technology, work organization, and efforts to eradicate failures.
Complex systems run in degraded mode. Post-accident attribution accident to a ‘root cause’ is fundamentally wrong. All practitioner actions are gambles. Human expertise in complex systems is constantly changing Change introduces new forms of failure. Views of ‘cause’ limit the effectiveness of defenses against future events.
Problems with “notional” - becomes difficult to extract wisdom - we want a “Gross Domestic Product” - unable to be defended - pseudo-scientific - lots of belief statements
from Mark Curphey’s SecurityBullshit
What is risk?
uses of “risk” - engineering - complex systems says “no” - financial - no 110% return on your firewall - medical - requires data
our standards say: Find issue, call issue bad, fix issue, hope you don’t find it again...
Managing risk means aligning the capabilities of the organization, and the exposure of the organization with the tolerance of the data owners - Jack Jones
evidence based medicine, meet information security What is evidence-based risk management? a deconstructed, notional view of risk
Loss Landscape Threat Landscape risk Asset Landscape Controls Landscape
Loss Landscape a balanced scorecard? Asset Landscape Threat Landscape risk Controls Landscape
Loss Landscape a balanced scorecard? capability (destroys “g” introducing quality management & mgmt. Asset Landscape Threat Landscape science elements into infosec) risk exposure change “compliance” simply becomes a factor of loss landscape and/or operating as a Controls Landscape control group for comparative data
The Achilles heel again, lack of data
Models and data sharing Good Lord Of The Dance, something a vendor might actually help you with
Verizon Incident Sharing Framework it’s open*! * kinda
Verizon has shared data
- 2009 – over 600 cases - 2010 – between 1000 & 1400
Verizon is sharing our framework
What is the Verizon Incident Sharing (VerIS) Framework? - A means to create metrics from the incident narrative - how Verizon creates measurements for the DBIR - how *anyone* can create measurements from an incident - http://securityblog.verizonbusiness.com/wp-content/uploads/ 2010/03/VerIS_Framework_Beta_1.pdf
What makes up the VerIS framework? - Demographics - Incident Classification - Event Modeling (a4) - Discovery & Mitigation - Impact Classification - Impact Modeling
Cybertrust Security demographics - company industry - company size - geographic location - of business unit in incident - size of security department
Cybertrust Security incident classification - agent error misuse - what acts against us malware hacking environmental external - asset social action physical - what the agent acts against internal agent asset confidentiality possession - action partner availability - what the agent does to the type attribute utility asset function authenticity integrity - attribute - the result of the agent’s action against the asset
Cybertrust Security incident classification a4 event model the series of events (a4) creates an “attack model” 1 > 2 > 3 > 4 > 5
Cybertrust Security discovery & mitigation - incident timeline - discovery method evidence sources + - - control capability - corrective action - most straightforward manner in which the incident could be prevented - the cost of preventative controls
Cybertrust Security Impact classification - impact categorization - sources of Impact $ (direct, indirect) - similar to iso 27005/FAIR - impact estimation - distribution for amount of impact - impact qualification - relative impact rating
Cybertrust Security incident narrative incident metrics discovery demographics incident classification (a4) impact classification + & mitigation 1> 2> 3> 4 > 5 $$$
Cybertrust Security case studies data set discovery demographics incident classification (a4) impact classification + & mitigation a 1> 2> 3> 4 > 5 $$$ b 1> 2> 3> 4 > 5 + $$$ c 1> 2> 3> 4 > 5 + $$$ d 1> 2> 3> 4 > 5 + $$$ e 1> 2> 3> 4 > 5 + $$$ f 1> 2> 3> 4 > 5 + $$$
Cybertrust Security data set knowledge & wisdom discovery demographics incident classification (a4) impact classification + & mitigation a 1> 2> 3> 4 > 5 $$$ b 1> 2> 3> 4 > 5 + $$$ c 1> 2> 3> 4 > 5 + $$$ d 1> 2> 3> 4 > 5 + $$$ e 1> 2> 3> 4 > 5 + $$$ f 1> 2> 3> 4 > 5 + $$$
Cybertrust Security threat modeling discovery demographics incident classification (a4) impact classification + & mitigation a 1> 2> 3> 4 > 5 $$$ b 1> 2> 3> 4 > 5 + $$$ c 1> 2> 3> 4 > 5 + $$$ d 1> 2> 3> 4 > 5 + $$$ e 1> 2> 3> 4 > 5 + $$$ f 1> 2> 3> 4 > 5 + $$$
Cybertrust Security threat modeling discovery demographics incident classification (a4) impact classification + & mitigation a 1> 2> 3> 4 > 5 $$$ b 1> 2> 3> 4 > 5 + $$$ c 1> 2> 3> 4 > 5 + $$$ d 1> 2> 3> 4 > 5 + $$$ e 1> 2> 3> 4 > 5 + $$$ f 1> 2> 3> 4 > 5 + $$$
Cybertrust Security impact modeling discovery demographics incident classification (a4) impact classification + & mitigation a 1> 2> 3> 4 > 5 $$$ b 1> 2> 3> 4 > 5 + $$$ c 1> 2> 3> 4 > 5 + $$$ d 1> 2> 3> 4 > 5 + $$$ e 1> 2> 3> 4 > 5 + $$$ f 1> 2> 3> 4 > 5 + $$$
Cybertrust Security impact modeling discovery demographics incident classification (a4) impact classification + & mitigation a 1> 2> 3> 4 > 5 $$$ b 1> 2> 3> 4 > 5 + $$$ c 1> 2> 3> 4 > 5 + $$$ d 1> 2> 3> 4 > 5 + $$$ e 1> 2> 3> 4 > 5 + $$$ f 1> 2> 3> 4 > 5 + $$$
Problems: Data sharing, incidents, privacy Failures vs. Successes (where management capability helps) Talking to the business owner (might still need a “tangible approach here, but pseudo-actuarial data can help - we still want a GDP)
Successes: Bridge the gap (IRM becomes tactically actionable based on threat/attack modeling) (Capability measurements bridged to notional increase/decrease in risk) (complex system problems addressed by showing multiple sources of causes) Accurate, notional likelihood Accurate tangible impact
Requirements: Data Sets Models Technology Sciences - complexity, management/TQM/Probability/ Game Theory, biomimicry...

More Related Content

PDF
Florida Association of Community Colleges, Council of Student Affairs Present...
byMargolis Healy
 
PDF
Swenson Group Vvma
bymhunter22
 
PDF
Uks iosh inside 2 on 3
byClive Burgess
 
PDF
Taming the data demons: leveraging information in the age of risk white paper
byIBM India Smarter Computing
 
PDF
Disaster planning for the digital age
byVisual Resources Association
 
PDF
Analisis de Riesgos O-ISM3
byConferencias FIST
 
PDF
My view imprint 2011
byClive Burgess
 
PDF
Information Security Maturity Model
byCSCJournals
 
Florida Association of Community Colleges, Council of Student Affairs Present...
byMargolis Healy
 
Swenson Group Vvma
bymhunter22
 
Uks iosh inside 2 on 3
byClive Burgess
 
Taming the data demons: leveraging information in the age of risk white paper
byIBM India Smarter Computing
 
Disaster planning for the digital age
byVisual Resources Association
 
Analisis de Riesgos O-ISM3
byConferencias FIST
 
My view imprint 2011
byClive Burgess
 
Information Security Maturity Model
byCSCJournals
 

What's hot

PDF
Stream 2 - Don't Risk IT
byIBM Business Insight
 
PDF
Convergence of Security Risks
byEnterprise Security Risk Management
 
PDF
Behavioural Safety Issues Forum
byQBE European Operations
 
PDF
Fms India 2011 Bcm
bySumeet Sharma
 
PDF
BC Components and CM Lifecycle
byZaszou
 
PDF
Walter Ammann - Business Continuity Management within the Concept of Integrat...
byGlobal Risk Forum GRFDavos
 
PPTX
The Knowledge Management Role In Mitigating Operational Risk
byEduardo Longo
 
PDF
ITFM Business Brief
bywdjohnson1
 
PDF
Safetydivnewslettersummer05
bysupperman2011
 
PPTX
Apdip disaster mgmt
byMohammad Reza Eghtesadian
 
DOC
Conceptual Risk Model
byHonolulu Civil Beat
 
PDF
Return on Security Investment
byConferencias FIST
 
Stream 2 - Don't Risk IT
byIBM Business Insight
 
Convergence of Security Risks
byEnterprise Security Risk Management
 
Behavioural Safety Issues Forum
byQBE European Operations
 
Fms India 2011 Bcm
bySumeet Sharma
 
BC Components and CM Lifecycle
byZaszou
 
Walter Ammann - Business Continuity Management within the Concept of Integrat...
byGlobal Risk Forum GRFDavos
 
The Knowledge Management Role In Mitigating Operational Risk
byEduardo Longo
 
ITFM Business Brief
bywdjohnson1
 
Safetydivnewslettersummer05
bysupperman2011
 
Apdip disaster mgmt
byMohammad Reza Eghtesadian
 
Conceptual Risk Model
byHonolulu Civil Beat
 
Return on Security Investment
byConferencias FIST
 

Viewers also liked

PDF
Alex hutton metricon
byAlexander Hutton
 
PPSX
Noortje Vlayen
byguest068a2aa
 
PPT
north korea
byinsuk
 
PDF
EFI Booklet
byrailstan
 
PDF
DeepSec 2014 - The Measured CSO
byAlexander Hutton
 
PDF
Fine Art Express
bytedgirves
 
PPT
2014 30th International Annual Soils Conference. Impact of Variables on Asses...
byPeter Woodman
 
PPT
Ocwc2011 hardin-final2-4 schools
byNational Center for Supercomputing Applications
 
PPTX
Biographies 2011
byMarcela Chimentón
 
Alex hutton metricon
byAlexander Hutton
 
Noortje Vlayen
byguest068a2aa
 
north korea
byinsuk
 
EFI Booklet
byrailstan
 
DeepSec 2014 - The Measured CSO
byAlexander Hutton
 
Fine Art Express
bytedgirves
 
2014 30th International Annual Soils Conference. Impact of Variables on Asses...
byPeter Woodman
 
Ocwc2011 hardin-final2-4 schools
byNational Center for Supercomputing Applications
 
Biographies 2011
byMarcela Chimentón
 

Similar to Hutton B Side Sf

PDF
From technology risk_to_enterprise_risk_the_new_frontier
byRamsés Gallego
 
PDF
Hutton/Miller SourceBarcelona
byAlexander Hutton
 
PPTX
2013 SOPAC presentation understanding hidden risks
byKarl Davey
 
PDF
En Crisp Grc Audit Automation Overview And Sustainability Strategies
byISACA New England
 
PPTX
Gainful Information Security 2012 services
byCade Zvavanjanja
 
PDF
Business Driven Security Securing the Smarter Planet pcty_020710_rev
byShanker Sareen
 
PPTX
Fs isac fico and core presentation10222012
bySeema Sheth-Voss
 
KEY
Security architecture for LSE 2009
byVladimir Jirasek
 
PDF
Why Traditional Security has Failed
bySteven_Jackson
 
PPTX
Information Security By Design
byNalneesh Gaur
 
PDF
Infrastructure Services Market 2009
byDr. Jimmy Schwarzkopf
 
PPTX
Proactive Management of Operational Risk
byJay Jayasuriya
 
PPTX
GCC eGov Cyberwar, Cybercrime Risks and Defences 2010
byJorge Sebastiao
 
PDF
Amnded stratexpoint screens1
byAndrew Smart
 
PDF
Transparency for effective it governance v1.0
byAhmed Buhazza
 
PPT
Rm
byansulag19
 
PPT
Social Enterprise Learning Toolkit (Risk Management Module)
byEnterprising Non-Profits
 
PPT
Social Enterprise Learning Toolkit (Risk Management Module)
byEnterprising Non-Profits
 
PDF
SAS Forum India: Big Data, Big Analytics & Bad Behaviour - Fighting Financial...
bySAS Institute India Pvt. Ltd
 
PPTX
The Perils that PCI brings to Security
byTripwire
 
From technology risk_to_enterprise_risk_the_new_frontier
byRamsés Gallego
 
Hutton/Miller SourceBarcelona
byAlexander Hutton
 
2013 SOPAC presentation understanding hidden risks
byKarl Davey
 
En Crisp Grc Audit Automation Overview And Sustainability Strategies
byISACA New England
 
Gainful Information Security 2012 services
byCade Zvavanjanja
 
Business Driven Security Securing the Smarter Planet pcty_020710_rev
byShanker Sareen
 
Fs isac fico and core presentation10222012
bySeema Sheth-Voss
 
Security architecture for LSE 2009
byVladimir Jirasek
 
Why Traditional Security has Failed
bySteven_Jackson
 
Information Security By Design
byNalneesh Gaur
 
Infrastructure Services Market 2009
byDr. Jimmy Schwarzkopf
 
Proactive Management of Operational Risk
byJay Jayasuriya
 
GCC eGov Cyberwar, Cybercrime Risks and Defences 2010
byJorge Sebastiao
 
Amnded stratexpoint screens1
byAndrew Smart
 
Transparency for effective it governance v1.0
byAhmed Buhazza
 
Rm
byansulag19
 
Social Enterprise Learning Toolkit (Risk Management Module)
byEnterprising Non-Profits
 
Social Enterprise Learning Toolkit (Risk Management Module)
byEnterprising Non-Profits
 
SAS Forum India: Big Data, Big Analytics & Bad Behaviour - Fighting Financial...
bySAS Institute India Pvt. Ltd
 
The Perils that PCI brings to Security
byTripwire
 

Recently uploaded

PPTX
Becoming Frontier for Dynamics 365 Finance PPT
byjonbravetti
 
PDF
Intro to CrafterQ - AI Agent Platform for the Enterprise.pdf
byCrafterQ
 
PDF
Presentation of Cybersecurity and data protection
bytarikaityahya2
 
PDF
UiPath Coded Agents - A Developer Driven Agentic Automation Era
byUiPathCommunity
 
PDF
2006 IEEE International Solid-State Circuits Conference
bySlide_N
 
PDF
Just Eat Data Scraping For Restaurant Reviews And Pricing.pdf
byfusiondata2026
 
PDF
Top 5 Best Dedicated Server Providers in Los Angeles (Updated Edition)
byAtal Networks
 
PDF
6 Insights from the Patron Saint of AI Failure
byScott M. Graffius
 
PPTX
UNIT 1- Introduction to Basic of Computer Fundamentals
bypawarbhaktiit
 
PDF
Best 10 Dedicated Servers in Amsterdam, Netherlands (2026 Enterprise Edition)...
byAtal Networks
 
PPTX
computer science class 11 ( phishing and fraud mails) .pptx
bybalajichess314
 
PDF
Salesforce Sales Cloud and Generative AI Present a Fresh Approach to Personal...
byMinuscule Technologies
 
PPTX
The Abomination of AI – keynote at ICoSCI 2026
byAlan Dix
 
PDF
Zniber Partners. Audience Foresight for Confident Decisions
bySamuel Zniber
 
PPTX
About Computer Hardware ................
bymaratiakshaya07
 
PPTX
Accelerate Innovation with Engineering R&D Services
byChetu
 
PDF
Chapter 2 Computer Threat .pdf
byGetnet Tigabie Askale -(GM)
 
PPTX
Apache Kafka 101 for Techies in IT dep.pptx
byamulyareddyk97
 
PDF
Unlocking Gen AI Capabilities Within UiPath Document Understanding
byDianaGray10
 
PDF
Pervasive Encryption - Keeping Data Secure.pdf
byPrecisely
 
Becoming Frontier for Dynamics 365 Finance PPT
byjonbravetti
 
Intro to CrafterQ - AI Agent Platform for the Enterprise.pdf
byCrafterQ
 
Presentation of Cybersecurity and data protection
bytarikaityahya2
 
UiPath Coded Agents - A Developer Driven Agentic Automation Era
byUiPathCommunity
 
2006 IEEE International Solid-State Circuits Conference
bySlide_N
 
Just Eat Data Scraping For Restaurant Reviews And Pricing.pdf
byfusiondata2026
 
Top 5 Best Dedicated Server Providers in Los Angeles (Updated Edition)
byAtal Networks
 
6 Insights from the Patron Saint of AI Failure
byScott M. Graffius
 
UNIT 1- Introduction to Basic of Computer Fundamentals
bypawarbhaktiit
 
Best 10 Dedicated Servers in Amsterdam, Netherlands (2026 Enterprise Edition)...
byAtal Networks
 
computer science class 11 ( phishing and fraud mails) .pptx
bybalajichess314
 
Salesforce Sales Cloud and Generative AI Present a Fresh Approach to Personal...
byMinuscule Technologies
 
The Abomination of AI – keynote at ICoSCI 2026
byAlan Dix
 
Zniber Partners. Audience Foresight for Confident Decisions
bySamuel Zniber
 
About Computer Hardware ................
bymaratiakshaya07
 
Accelerate Innovation with Engineering R&D Services
byChetu
 
Chapter 2 Computer Threat .pdf
byGetnet Tigabie Askale -(GM)
 
Apache Kafka 101 for Techies in IT dep.pptx
byamulyareddyk97
 
Unlocking Gen AI Capabilities Within UiPath Document Understanding
byDianaGray10
 
Pervasive Encryption - Keeping Data Secure.pdf
byPrecisely
 

Hutton B Side Sf

  • 1.
    Risk Management Time toblow it up and start over? @alexhutton
  • 2.
    Met E.T. Jaynes probabilitytheory, the logic of science
  • 3.
    Kuhn’s Protoscience Astage in the development of a science that is described by: • somewhat random fact gathering (mainly of readily accessible data) • a “morass” of interesting, trivial, irrelevant observations • A variety of theories (that are spawned from what he calls philosophical speculation) that provide little guidance to data gathering
  • 4.
    only the wisestand stupidest of men never change Confucius
  • 5.
    Destroy GRC Musings ofa Risk Management Deconstructivist
  • 6.
    A feeling ofdiss-connect between GRC and Security
  • 7.
  • 8.
    governance, without metrics& models, is superstition governance, with metrics & models, describes capability to manage risk
  • 9.
    Why does whatyou execute on and how you execute matter?
  • 12.
    governance, without metrics& models, is superstition governance, with metrics & models, describes capability to manage risk measurably good governance practices (can/will) reduce risk measurably good governance is simply a description of capability to manage risk
  • 13.
    not sucking eggsat security is a good idea
  • 14.
    compliance*, without metrics,is superstition compliance*, with metrics, is risk management *(regulatory)
  • 15.
    But “GRC” Risk Management Findissue, call issue bad, fix issue, hope you don’t find it again...
  • 16.
  • 17.
    a. Risk isnotional b. Risk is tangible
  • 18.
    Problems with “tangible” -complex systems, complexity science - usefulness outside of the very specific - measurements - lots of belief statements
  • 19.
    How Complex SystemsFail (Being a Short Treatise on the Nature of Failure; How Failure is Evaluated; How Failure is Attributed to Proximate Cause; and the Resulting New Understanding of Patient Safety) Richard I. Cook, MD Cognitive technologies Laboratory University of Chicago http://www.ctlab.org/documents/How %20Complex%20Systems %20Fail.pdf
  • 20.
    Catastrophe requires multiplefailures single point failures are not enough.. The array of defenses works. System operations are generally successful. Overt catastrophic failure occurs when small, apparently innocuous failures join to create opportunity for a systemic accident. Each of these small failures is necessary to cause catastrophe but only the combination is sufficient to permit failure. Put another way, there are many more failure opportunities than overt system accidents. Most initial failure trajectories are blocked by designed system safety components. Trajectories that reach the operational level are mostly blocked, usually by practitioners. Complex systems contain changing mixtures of failures latent within them. The complexity of these systems makes it impossible for them to run without multiple flaws being present. Because these are individually insufficient to cause failure they are regarded as minor factors during operations. Eradication of all latent failures is limited primarily by economic cost but also because it is difficult before the fact to see how such failures might contribute to an accident. The failures change constantly because of changing technology, work organization, and efforts to eradicate failures.
  • 21.
    Complex systems runin degraded mode. Post-accident attribution accident to a ‘root cause’ is fundamentally wrong. All practitioner actions are gambles. Human expertise in complex systems is constantly changing Change introduces new forms of failure. Views of ‘cause’ limit the effectiveness of defenses against future events.
  • 22.
    Problems with “notional” -becomes difficult to extract wisdom - we want a “Gross Domestic Product” - unable to be defended - pseudo-scientific - lots of belief statements
  • 23.
    from Mark Curphey’sSecurityBullshit
  • 24.
  • 25.
    uses of “risk” -engineering - complex systems says “no” - financial - no 110% return on your firewall - medical - requires data
  • 26.
    our standards say: Findissue, call issue bad, fix issue, hope you don’t find it again...
  • 27.
    Managing risk meansaligning the capabilities of the organization, and the exposure of the organization with the tolerance of the data owners - Jack Jones
  • 28.
    evidence based medicine,meet information security What is evidence-based risk management? a deconstructed, notional view of risk
  • 29.
    Loss Landscape Threat Landscape risk Asset Landscape Controls Landscape
  • 30.
    Loss Landscape a balanced scorecard? Asset Landscape Threat Landscape risk Controls Landscape
  • 31.
    Loss Landscape a balanced scorecard? capability (destroys “g” introducing quality management & mgmt. Asset Landscape Threat Landscape science elements into infosec) risk exposure change “compliance” simply becomes a factor of loss landscape and/or operating as a Controls Landscape control group for comparative data
  • 32.
    The Achilles heelagain, lack of data
  • 33.
    Models and data sharing GoodLord Of The Dance, something a vendor might actually help you with
  • 34.
    Verizon Incident SharingFramework it’s open*! * kinda
  • 35.
  • 36.
    - 2009 – over 600 cases - 2010 – between 1000 & 1400
  • 37.
    Verizon is sharingour framework
  • 38.
    What is theVerizon Incident Sharing (VerIS) Framework? - A means to create metrics from the incident narrative - how Verizon creates measurements for the DBIR - how *anyone* can create measurements from an incident - http://securityblog.verizonbusiness.com/wp-content/uploads/ 2010/03/VerIS_Framework_Beta_1.pdf
  • 39.
    What makes upthe VerIS framework? - Demographics - Incident Classification - Event Modeling (a4) - Discovery & Mitigation - Impact Classification - Impact Modeling
  • 40.
    Cybertrust Security demographics - company industry - company size - geographic location - of business unit in incident - size of security department
  • 41.
    Cybertrust Security incident classification - agent error misuse - what acts against us malware hacking environmental external - asset social action physical - what the agent acts against internal agent asset confidentiality possession - action partner availability - what the agent does to the type attribute utility asset function authenticity integrity - attribute - the result of the agent’s action against the asset
  • 42.
    Cybertrust Security incident classification a4 event model the series of events (a4) creates an “attack model” 1 > 2 > 3 > 4 > 5
  • 43.
    Cybertrust Security discovery & mitigation - incident timeline - discovery method evidence sources + - - control capability - corrective action - most straightforward manner in which the incident could be prevented - the cost of preventative controls
  • 44.
    Cybertrust Security Impact classification - impact categorization - sources of Impact $ (direct, indirect) - similar to iso 27005/FAIR - impact estimation - distribution for amount of impact - impact qualification - relative impact rating
  • 45.
    Cybertrust Security incident narrative incident metrics discovery demographics incident classification (a4) impact classification + & mitigation 1> 2> 3> 4 > 5 $$$
  • 46.
    Cybertrust Security case studies data set discovery demographics incident classification (a4) impact classification + & mitigation a 1> 2> 3> 4 > 5 $$$ b 1> 2> 3> 4 > 5 + $$$ c 1> 2> 3> 4 > 5 + $$$ d 1> 2> 3> 4 > 5 + $$$ e 1> 2> 3> 4 > 5 + $$$ f 1> 2> 3> 4 > 5 + $$$
  • 47.
    Cybertrust Security data set knowledge & wisdom discovery demographics incident classification (a4) impact classification + & mitigation a 1> 2> 3> 4 > 5 $$$ b 1> 2> 3> 4 > 5 + $$$ c 1> 2> 3> 4 > 5 + $$$ d 1> 2> 3> 4 > 5 + $$$ e 1> 2> 3> 4 > 5 + $$$ f 1> 2> 3> 4 > 5 + $$$
  • 48.
    Cybertrust Security threat modeling discovery demographics incident classification (a4) impact classification + & mitigation a 1> 2> 3> 4 > 5 $$$ b 1> 2> 3> 4 > 5 + $$$ c 1> 2> 3> 4 > 5 + $$$ d 1> 2> 3> 4 > 5 + $$$ e 1> 2> 3> 4 > 5 + $$$ f 1> 2> 3> 4 > 5 + $$$
  • 49.
    Cybertrust Security threat modeling discovery demographics incident classification (a4) impact classification + & mitigation a 1> 2> 3> 4 > 5 $$$ b 1> 2> 3> 4 > 5 + $$$ c 1> 2> 3> 4 > 5 + $$$ d 1> 2> 3> 4 > 5 + $$$ e 1> 2> 3> 4 > 5 + $$$ f 1> 2> 3> 4 > 5 + $$$
  • 50.
    Cybertrust Security impact modeling discovery demographics incident classification (a4) impact classification + & mitigation a 1> 2> 3> 4 > 5 $$$ b 1> 2> 3> 4 > 5 + $$$ c 1> 2> 3> 4 > 5 + $$$ d 1> 2> 3> 4 > 5 + $$$ e 1> 2> 3> 4 > 5 + $$$ f 1> 2> 3> 4 > 5 + $$$
  • 51.
    Cybertrust Security impact modeling discovery demographics incident classification (a4) impact classification + & mitigation a 1> 2> 3> 4 > 5 $$$ b 1> 2> 3> 4 > 5 + $$$ c 1> 2> 3> 4 > 5 + $$$ d 1> 2> 3> 4 > 5 + $$$ e 1> 2> 3> 4 > 5 + $$$ f 1> 2> 3> 4 > 5 + $$$
  • 52.
    Problems: Data sharing, incidents,privacy Failures vs. Successes (where management capability helps) Talking to the business owner (might still need a “tangible approach here, but pseudo-actuarial data can help - we still want a GDP)
  • 53.
    Successes: Bridge the gap (IRMbecomes tactically actionable based on threat/attack modeling) (Capability measurements bridged to notional increase/decrease in risk) (complex system problems addressed by showing multiple sources of causes) Accurate, notional likelihood Accurate tangible impact
  • 54.
    Requirements: Data Sets Models Technology Sciences -complexity, management/TQM/Probability/ Game Theory, biomimicry...