I would like to use the blog approach to begin generating tools that make information security decision making accurate. There is very little evidence of scientific method usage in information security decision making, including cyber security. Security is a black hole for resources and we are pouring money and potential talent into it. We waste money on products, partake in and sponsor educational programs and write policy that we do not prove the effectiveness of. Instead of “standing on the shoulders of giants” we start businesses, all re-inventing the wheel instead of using what scientific research has already provided. We say things like “there isn’t enough data to do anything but guess for now” then complain about “falling behind” We turn down real cyber talent because we never asked ourselves “is this the right criteria?” then we say “critical shortage and cyber talent”. We’re wrong and we always will be wrong. But we’re not accepting that and approaching the problem with the goal of being the least wrong.
Snakeoil information security professionals, solutions, appliances, managed services, frameworks, and methodologies are dominant right now. Most of these are either checkboxes or black boxes. Some involve quantitative steps but are quickly becoming textbook examples of bad statistics. They do something worse than “not work” they deceive us into thinking they work. That wastes our resources and gives a false sense of security.
Over the years I’ve worked for small not-for-profits, large international corporations, universities, financial institutions, news media, and technology development companies. Most organizations use an “ordinal scoring” based risk assessment methodology. That is, they provide risk estimates in the form of a number between 1 and 3, or colors like red yellow and green, or ratings low, medium, and high, and each one represented a different weight. They do this to prioritize which hazards/threats to address first. This form of assessment comes from the pseudo-scientific model known as the “rational model”. You’ll find it in common intro to business decision making textbooks. Today the “rational model” is an approach that reaches beyond MBA students. It is also recommended by industry standard guidance organizations. You’ll see it recommended by NIST, COBIT (ISACA), FFIEC, the list goes on. This is the method used for national security, critical infrastructure decision making, financial risk, and many more highly influential groups. When organizations are asked by regulators to “assess the risk accordingly” in order to be compliant, they grab the nearest solution. Some choose methods that are ready, available, featured, inexpensive, and simple. Others exercise more scrutiny and have information security, cyber security, and business intelligence consulting firms come in and present. Whoever makes the most compelling presentation of their services wins the contract. Both approaches are negligent business practices and examples of backwards business decision making where we try to find solutions before we clearly define what our problems are.
Every professional service provider starts off much like I do here. You criticize the competition, you describe the flaws in the methods your target audience is most likely using. Then you promise either the “real” way to do it or the modest diplomatic “better” way to do “risk”. Now I explain to you how different I am and my products and services are. Fortunately for you, I am not selling products and services. I’m an information security professional with a job just like you who wants to put together the best approach to information security decision making. This is where I try to seem relatable to you, the target audience, but then pull a fast one and ask for money or your email address so that you can download the smart sounding whitepaper my firm’s latest underpaid intern wrote. Don’t worry, that is not the case here.
I’m doing this blog for myself. The stone-age approach to information security decision making and risk management fuels a powerful anxiety in me that I have a hard time containing. Writing this blog is a kind of therapy for me. Fortunately, the therapy for treating bullshit induced anxiety is the truth-seeking dialectic otherwise known as education. I want to create open-source solutions and I want equally critical readers to contribute. Together we can treat my anxiety and come up with real solutions for information security decision making.
Perhaps the most important attribute of this work in progress is the systematic and periodical critical re-analysis of all assumptions made, and all methodologies proposed. This is not a product that must remain static to please customers. It must be free to change in order to progressively reduce wrongness. The assumptions and methods will be regularly reviewed and openly criticized. The proposed methods will be updated according to the latest relevant findings in academic research, and ideally, as a result of those performed by me as well, so far as they afford credibility. As such, the model proposed is fluid, and like science itself, aims at a moving target. One that we can only infinitely narrow the gap between.