The presentation Mortman & Hutton gave at Security B-Sides in Las Vegas as well as our Black Hat presentation mixed in.
More at http://www.newschoolsecurity.com
4. • “Risk management inputs are estimates and the
results are therefore questionable
• Risk management attempts to predict the future; that
is hard
• Risk management is based on backward-looking
statistics, which does not make sense in an
environment where you’re up against a creative
attacker
These are the reasons I reject Risk Management.”
- a well known Security RockStar
5.
6. • Risk management inputs are estimates and the results are
therefore questionable
• All measurements are estimates. We’re just quibbling
about the amount of uncertainty.
7. • Risk management inputs are estimates and the results are
therefore questionable
• All measurements are estimates. We’re just quibbling
about the amount of uncertainty.
• Risk management attempts to predict the future; that is
hard
• This simplifies information theory. Risk Management
only describes certainty (Bayesian - “belief”) about a
current state of nature in order to make decisions.
• Are climate studies “science”? If so, then how is this
different than the global warming “debate”?
8. • Risk management inputs are estimates and the results are
therefore questionable
• All measurements are estimates. We’re just quibbling
about the amount of uncertainty.
• Risk management attempts to predict the future; that is
hard
• This simplifies information theory. Risk Management
only describes certainty (Bayesian - “belief”) about a
current state of nature in order to make decisions.
• Are climate studies “science”? If so, then how is this
different than the global warming “debate”?
• Risk management is based on backward-looking statistics,
which does not make sense in an environment where
you’re up against a creative attacker
• This is just silly. It’s saying the past is non-informative
16. The search for Truth aside,
can we acquire a “body
of knowledge”?
17. Kuhn’s Protoscience
A stage in the development of a science
that is described by:
• somewhat random fact gathering
(mainly of readily accessible data)
• a “morass” of interesting, trivial,
irrelevant observations
• A variety of theories (that are spawned
from what he calls philosophical
speculation) that provide little guidance
to data gathering
18. What is required
To develop a “body of knowledge”, a
social science for security & risk
management?
19. Loss Landscape
Threat Landscape
risk
security / state of vulnerability
Asset Landscape
Controls Landscape
20. capability to
manage
Loss Landscape
Threat Landscape
risk
management
security / state of vulnerability
Asset Landscape
Controls Landscape
21. To develop a “body of knowledge”, a
social science for security & risk
management?
Loss Landscape
Economics, Behavioral Economics, Security,
Management Science, Probability Theory
Threat Landscape
Behavioral Economics, Probability Theory
risk
Asset Landscape
Management Science, Probability Theory
Controls Landscape
Management Science, Probability Theory,
Control Theory
22. To develop a “body of knowledge”, a
social science for security & risk
management? Capability to Manage
Decision Theory,
Management Science,
Probability Theory
Loss Landscape
Economics, Behavioral Economics, Security,
Management Science, Probability Theory
Threat Landscape
Behavioral Economics, Probability Theory
risk
Asset Landscape
Management Science, Probability Theory
Controls Landscape
Management Science, Probability Theory,
Control Theory
23. What is required
To develop a “body of knowledge”, a
social science for security & risk
management?
- Information & Theories (Models) About
the Risk Landscape
- Data. At first applicable within context
provided by those theories, but data
tends to stand by itself for future
theories
36. Expectation
of
Development/
Use
Saturation of Exploit
Vulnerable Utility
Technology
Expected Code
Value of Dissemination
Ability To Systems
Market
Compensate
Penetration
(inverse) Ease of
Use Nature of
Access Resources Information Discovering
Expectation Individual
Ability To Ability To
Apply Expected
Repair
Controls Value of Expected
Systems Volume Market
(fractal) Return
Computing
Bandwidth
Power
= Actor performs Risk Assessment
37. Saturation of Vulnerable Technology
Expectation
of
Development/
Use
Saturation of Exploit
Vulnerable Utility
Technology
Ability To
Market
Compensate
Penetration
(inverse)
Ability To Ability To
Repair Apply
Controls
= Actor performs Risk Assessment
38. Exploit Utility
Expectation
of
Development/
Use
Saturation of Exploit
Vulnerable Utility
Technology
Expected Code
Value of Dissemination
Systems
Ease of
Use Nature of
Access Resources Information Discovering
Expectation Individual
Expected
Value of Expected
Systems Volume Market
(fractal) Return
Computing
Bandwidth
Power
= Actor performs Risk Assessment
39. Expectation
of
Development/
Use
Saturation of Exploit
Vulnerable Utility
Technology
Expected Code
Value of Dissemination
Ability To Systems
Market
Compensate
Penetration
(inverse) Ease of
Use Nature of
Access Resources Information Discovering
Expectation Individual
Ability To Ability To
Apply Expected
Repair
Controls Value of Expected
Systems Volume Market
(fractal) Return
Computing
Bandwidth
Power
= Actor performs Risk Assessment
40. Model lives & will be
maintained &
information can be
shared at:
The New School of
Information Security
Website
http://www.newschoolsecurity.com