I can’t speak for other participants in the Society of Information Risk Analysts (SOIRA), but I’m rather excited with anticipation. Because of that, I wanted to jot down some ideas rolling around my head of things I want to work on. These are no more than paragraphs on the screen at this point (though some are blog-posts-never-posted). Each of these are intended to help the boots on the ground. Meaning these are not theoretical exercises or just research projects, I want to be able to test some of these things out, preferably collectively and see what works and move to put things into practice.
I run into multiple situations daily where someone asks me in a meeting, or worse, standing in the elevator: Can we enable feature X? Is okay if I modify Y? I know the practice is to do Z, but what about Z-1? Handling these questions, approaching them methodically, and in such a way that it may improve our quick decisions with practice. What kind of thought exercises can help with quick security decisions? More specifically: What can we adjust / become aware of in our existing heuristics, biases and frames to make better decisions within a 15 second window? There is a lot of material in the decisions sciences to help with this question and hopefully something concrete can come of out it.
Here’s an example of the problem, while jotting this thought down yesterday, I was asked if a time stamp could be removed from an unprotected message. After quickly considering the threat, weakness and impact of the question, I answered quickly and decisively with “dunno, wasn’t paying attention.”
How can we discuss weighted qualitative assessments?
I used to think that I was a unique fish battling the problem of seat-of-the-pants risk assessments that are nothing more than a weighted audit. Jack Freund just wrote up a blog post on this qualitative battle. I want to figure out why people think these “assessments” are valuable and work out methods to approach these discussion, because logical arguments seem to fall on deaf ears. I’d like to figure out who’s looked at it before (like Hubbard) and what can be done to shift these perspectives in reality, primarily my goal is to just to reduce my own irritation with these. Honestly, I want to tackle this because I’m intrigued. The people who are doing this method and recommending these approaches are not stupid. They see a value in their methods that I’m missing, I want to understand what that is (and why alternatives are not attractive), and then figure out where to go from there.
What are the pre-requisites for a information risk management program?
I’ve seen attempts at a risk management program fail because of immaturity of the environment. It’s hard to track security risks when people can’t identify even the hardware in their data centers, let alone the information on them. This makes me wonder: What should be done before a infosec risk management program is even considered? What sort of things should people look for before they take a job in infosec risk? Things off the top of my head are some level of maturity around asset tracking, change control and governance.
How can I establish and communicate risk tolerance?
Many methodologies talk about the risk tolerance or risk appetite of organizations and how understanding that is critical. I think I’m more likely to win the jackpot in the Powerball before I can grok the risk tolerance in my organization. I’d like to experiment with how this may be done. My lofty-and-probably-absurd dream here is to create something like a questionnaire or survey that ballparks their business/infosec risk threshold. Of the top of my head I see this being series of hypothetical situations with a finite list of decisions to select. It should be, at least in theory, to begin correlating answers to risk threshold. Kind of a CVSS for risk tolerances, I like this idea.
With a nod to Chris Hayes and his risk vernacular (that may be a great starting point). I’d like to create a reference for terminologies and try to make it broadly inclusive in order to learn from others. For instance I see an entry for “risk” having probably 15 different definitions, along with the sources. This may be extremely helpful for the next task, but it has overall value, too. Having terms broken down like that will help get a feel for the overall state of infosec risk analysis and help bridge some of the gaps in terminology. The point is not to define the terms as I want them to be, but to figure out the range of definitions other people think they are. This is simply a data gathering task, no interpretation or logic necessarily required.
Methodologies: Quick Hit List
It’s been a few years but at one point I went through every risk methodology I could get my hands on. By the end, they blurred together and I saw an underlying pattern, each and everyone of those methods addressed almost the exact same things, just with different priorities, emphasis and well, words. I’d like to go back down that journey again and track the similarities and differences, call out their emphasis and attempt to align and track terminologies (see previous entry). I may try to tackle this one last, it may be a bit tedious.
“To begin with, let’s assume I’m an idiot…”
I’d like some help for people new to the field and to fill in many gaps I have in my own knowledge. Perhaps this is an “Idiot’s Guide to Infosec Risk” but without any trademark infringement. What kind of statistical analysis or decision analysis tools should I consider? What are the books/membership/training/certification that will help me? Are there courses I could look at taking? This was mentioned by John on the SOIRA concall earlier, about where to even begin looking. And maybe this is multiple outputs and not a single product. I don’t think the target audience for this should be college interns, but seasoned security professionals whose finger looks like a raisin from licking it in the wind too much.
That’s it. I know there are more, but that’s what I was able to think of during the day today. And the last three don’t exactly target the boots on the ground, that’d be more for a longer-term goal. If you can think of other big questions that need answering, please check into the Society of Information Risk Analysts.