Thursday, March 21, 2013

Boxing the Fundamental Assumptions of Cybersecurity Risk Management


Here's something to wrap your head around (or more literally, put in your head) as you head to NIST on April 3rd to make your contribution to the Critical Infrastructure Cybersecurity framework development processes, an effort begat by the recent Presidential Executive Order.

Many in our community love to talk about risk management as the common sense, business oriented antidote to the mandatory and therefore inflexible and slow moving instructions in the NERC CIPs.

You could certainly put me at least half in that camp.  Well, after reading THIS sharp Brookings paper from Ralph Langer and Perry Pederson, that half of me is feeling a little wobbly.


Want to see if you can handle it?  Let's see you go for a round with them.  They begin with a jab -- the DHS definition itself:
The following is a definition of risk-based decision making from appendix C of the Department of Homeland Security’s risk Lexicon: “risk-based decision making is defined as the determination of a course of action predicated primarily on the assessment of risk and the expected impact of that course of action on that risk.”
And then counter with a flurry of lefts to some assumptions, a series of rights to some more, and finish with a big left to the whole foundation upon which cyber risk management normally rests:
The basic assumption embedded in this and all risk formulae is that unknown future events of an unknown frequency, unknown duration, unknown intensity, from an unknown assailant, with unknown motivations, and unknown consequences are quantifiable. Consequently, if one thinks s/he can measure the risk, the mistaken conclusion is that one can manage the risk.
I'm trying to not be overly swayed by this one article, but certainly it's going to be something I try to keep in main memory while at the workshop.  Hope it helps inform your thinking too.

BTW (late addition): I just realized this post ends on a bit of a down note and I don't want to leave you there.  If you can make it to page 8 you'll find Pederson and Langer pivoting towards their recommended solutions to replace risk management-based decision making.  You'll see these fall into 3 P's: Politics, 2) Practicality and Pervasiveness.  I myself haven't made it there yet but intend to before nightfall ... tomorrow.

---------------
P.S. have you ever tried boxing? I have a little, and it's a blast, and super hard, and exhausting.  But you know one thing it's easier than?  That's right, you've got it.

Photo credit: Wikimedia Commons

1 comment:

Andy Bochman said...

That's funny, I found it to be a very well written article. Agree or disagree with some of its points, it makes its case methodically and is supported by lots of references to reputable sources. Sounds like the authors must have hit a nerve to elicit "It's the most absurd piece of rubbish I've ever seen." Because it certainly is not.