In going over my past posts, I realized that I never talked about the governing theories that drive the management of security. I've talked about a sub component of them but not starting from the top. I've also stated that I would write about it in my paper (see utter failure due to vacation between jobs). In spirit of me never really getting to that paper I've decided I will start talking about them in blog posting bite size pieces.
We have a bunch of problems in industry and need a better model of solving them than what we have today. More importantly, there is no proper theory that drives to a methodology and all the way down to a programatic model. Seven years ago I was banging my head against the wall trying to figure out how to get out of a highly reactive function into one that was more predictive. The result was the development of my Risk Management model. In the past couple of years, the focus on the people aspect of the problem has driven me to a mutual model around the metaphorical aspects of "security". Both of these points have driven to the two models (Equilibrium and Risk Management) that I use today. There are sub components to each of them, however, for right now we need to start from the top.
Equilibrium Model and Risk Management Model
The Equilibrium Model is based on the need to get a firm handling on two aspects of perception. The premise is that security is about balancing the "threats" with mitigating "controls". Yet, we do this based on the perception of the need for those controls relative to the threats. More importantly, it's not our perception that is ultimately important. For the most part, it's the businesses' perception that is all important. The most significant failing is that I've rarely seen any security organization even attempt to figure out what that perception is or even to manage it. As a secondary point, we can't change the threats or the controls, to a great extent, but we can change perception. If we know where the perception level is regarding specific things then we can focus on marketing our belief to those individuals to change it. As a result we can then increase the adoption of more stringent controls based on their coming to our perception.
The questions or areas of focus in establishing balance are:
- Allowed Financial Loss
- Allowed Public Vulnerability
- Allowed Public Data Disclosure
- Allowed Availability Loss
- Allowed Future Revenue Loss
Where these are not all of the focus areas it's the basic elements of them that start us off. I'll get into the specific questions in a later post. Yet, with these we can then start the balancing of our controls. With the problem of "security" being a metaphorical statement, it introduces an inherent problem in how we see it. The equilibrium attempts to establish a more concrete, albeit qualitative, understanding on what "security" means. From the practitioners point of view, we can then leverage the results to understand the more significant influencers (financial, brand, operational) to drive a more secure environment by expressing impact more to those areas. e.g. if they are more financially motivated we need to ensure we focus on explaining how the financials (future or today dollars) are at risk and to what extent.
The Risk Management model, I've talked about in previous posts, takes an very detailed approach to mapping threats to controls and assessments. This is to drive an explicit management of controls and explain, in great detail, as to why. I'll repost that in my next section with more detail.