Security Theories Part 1

In going over my past posts, I realized that I never talked about the governing theories that drive the management of security.  I've talked about a sub component of them but not starting from the top.  I've also stated that I would write about it in my paper (see utter failure due to vacation between jobs).  In spirit of me never really getting to that paper I've decided I will start talking about them in blog posting bite size pieces.

We have a bunch of problems in industry and need a better model of solving them than what we have today.  More importantly, there is no proper theory that drives to a methodology and all the way down to a programatic model.  Seven years ago I was banging my head against the wall trying to figure out how to get out of a highly reactive function into one that was more predictive.  The result was the development of my Risk Management model.  In the past couple of years, the focus on the people aspect of the problem has driven me to a mutual model around the metaphorical aspects of "security".  Both of these points have driven to the two models (Equilibrium and Risk Management) that I use today.  There are sub components to each of them, however, for right now we need to start from the top.

Equilibrium Model and Risk Management Model

The Equilibrium Model is based on the need to get a firm handling on two aspects of perception.  The premise is that security is about balancing the "threats" with mitigating "controls".  Yet, we do this based on the perception of the need for those controls relative to the threats.  More importantly, it's not our perception that is ultimately important.  For the most part, it's the businesses' perception that is all important.  The most significant failing is that I've rarely seen any security organization even attempt to figure out what that perception is or even to manage it.  As a secondary point, we can't change the threats or the controls, to a great extent, but we can change perception.  If we know where the perception level is regarding specific things then we can focus on marketing our belief to those individuals to change it.  As a result we can then increase the adoption of more stringent controls based on their coming to our perception.  

The questions or areas of focus in establishing balance are:


  • Allowed Financial Loss
  • Allowed Public Vulnerability
  • Allowed Public Data Disclosure
  • Allowed Availability Loss
  • Allowed Future Revenue Loss


Where these are not all of the focus areas it's the basic elements of them that start us off.  I'll get into the specific questions in a later post.  Yet, with these we can then start the balancing of our controls.  With the problem of "security" being a metaphorical statement, it introduces an inherent problem in how we see it.  The equilibrium attempts to establish a more concrete, albeit qualitative, understanding on what "security" means.  From the practitioners point of view, we can then leverage the results to understand the more significant influencers (financial, brand, operational) to drive a more secure environment by expressing impact more to those areas.  e.g. if they are more financially motivated we need to ensure we focus on explaining how the financials (future or today dollars) are at risk and to what extent.

The Risk Management model, I've talked about in previous posts, takes an very detailed approach to mapping threats to controls and assessments.  This is to drive an explicit management of controls and explain, in great detail, as to why.  I'll repost that in my next section with more detail.



Food, Rising Costs and Crime

In the ongoing saga of commodity price increase theory drives crime, I took a look at some of the data over agriculture indexes for the globe. The recent skyrocketing increase has been felt by us all at the store in the doubling of some core raw goods. However, those in less fortunate countries that already have high corruption barometer indexes have a double wammy. Time will only tell, but we should all track the data to see if it plays out as a precursor for the future. Take a look at the data on or the world bank and see for yourself.

Labor, Metrics and Flow Management

One of the things that I wanted to follow up on from yesterdays post is in regards to controls implementation.  In my model there are three key teams (Threat Response, Security Management and Risk and Compliance).  These three teams are the basis of the Risk Management model that I use.  Within the Security Management team we have the function of controls implementation.  That is comprised from a couple of things.  First, the designing of a control based on the threat that the Threat Response team has come up with.  Second the telemetry in demonstrating the need of that control and lastly the implementation of that control.

It's the implementation of a control that is where we need to focus a bit.  The implementation of a control should not denote that InfoSec is the owner of that control.  In many cases, we are implementing a control inside a process that someone else owns.  Such as review gates inside a project management, change management or SDLC process.  This is important due to the fact that InfoSec will never have enough people to staff up for ownership of all controls that are needed.  Also, the operational and culture change advantages of those other teams owning them are huge and lost if InfoSec "white knuckles" the controls themselves.

If InfoSec is accountable for security and can't own the labor to manage all of the controls then how can this be done?  This brings us to the importance of metrics.  The need for metrics, good metrics, is to identify if the controls implemented are working as expected or desired.  The process is that InfoSec implements the control and, over the course of a year or two, slowly backs out of the day to day function.  This is to implement, harden the process, implement metrics and educate the true owners of the control.  Once the metrics are in place, then InfoSec can implement a Flow Management where they manage the metrics to determine if any of the controls are going in the wrong direction.  If they are trending into an undesirable direction, InfoSec has the ability to come back in and command and control the situation to fix it.

With this process, InfoSec can apply its labor to those controls that need to be implemented or need to be fixed.  In addition, it places the ownership of the controls on those who truly own it as well as drives the culture change where they are accountable for security as well.

The Piracy and Fraud "Bad Country" List

The IIP released their report on the top countries that perform piracy. The top 13should be interesting as we map over our respective internal fraud and the external fraud and crime reports together. Yet another data point to work into our risk modeling for our business, direct or indirect, in those countries. In the report you will see the usual suspects and some oddities.