The security decision making WAVE!
I’m starting a Wave
on Google Wave to build a collaboration piece on security decision making. Please send
me your contact if you want to participate.
Security decision making
Dear security friends,
I’m
planning for a long time to work on a paper/presentation about security
decision making. I was planning to talk with different security
professionals to hear about how their decision making process works and
where it can be improved. But I’ve just realized that Google Wave is
the perfect tool for a collaboration job like that. I will, of course,
provide the proper credits to anyone who contributes. 
Well, some classification and and taxonomy first. I think we could try to break decision making in:
-
Scope: it can be from a single application to a whole organization. I’m
quite sure that the process changes from one to another, so it makes
sense to consider it.
- Type of decision: what is the goal of the decision? The most common are:
- Trade-offs: the famous control x productivity impact
- Cost: should I take the risk or pay to reduce/eliminate it
- Control Prioritization: among all those security controls, which one should I implement first?
- Risk prioritization: among all those risks, which one should I tackle first?
-
Security optimization: considering all the resources available, how to
deploy them in a way to maximize security (minimize risk)
- Method:
-
Risk measurement: going through the vanilla process of measuring
exposure, impact, threat level, likelihood and getting the resulting
risk.
- Qualitative
- Quantitative: ROSI
- Benchmarking: comparing what others are doing under similar situations
- Regulatory/compliance: doing because it is required
-
Metric based: this triggers the whole discussion about security
metrics, what should be measured, how and what are the desirable values.
- Trends:
-
There are several issues with the risk assessment methodologies. I
don’t like the feeling of “educated guess” from the qualitative
assessments and there are a lot of conceptual failures on theROSI side.
Also, the data available is not good enough to generate good impact and
likelihood numbers. Some researchers believe we should generate new
models to avoid these pitfalls
-
Prescriptive standards: apply more prescriptive regulations, such as
PCI DSS, to reduce the “interpretation” issues from more flexible
frameworks and methodologies.
So,
I’ll add people that I think will bring value to this discussion.
Please feel free to expand the wave. Let’s see where it will take us.
(I’m
also don’t know how to invite some people that I know is testing Wave
but I’m not seeing in my contact list…how do I do it?)
Some interesting references to consider/read about this subject:
http://taosecurity.blogspot.com/2006/06/risk-based-security-is-emperors-new.html
http://chuvakin.blogspot.com/2009/09/donn-parkers-risks-of-risk-based.html
http://chuvakin.blogspot.com/2009/09/is-risk-just-too-risky.html
http://www.bloginfosec.com/2009/09/28/classy-data-pt-3-%E2%80%93-ownership-and-risk/
I think our work relates to the subject of this post. We developed a Google Wave gadget for security polls: http://www.decing.com
It can be installed to your Google Wave account.
December 28, 2009 @ 7:25 am