Embed Size (px)
DESCRIPTION
A Practical Approach Towards Decision Making
Citation preview
Tastes Great vs Less Filling: Deconstructing Risk
Management (A Practical Approach Towards Decision Making)
Michael DahnChaordicMind.com
Thursday, April 29, 2010
Who am I?
Thursday, April 29, 2010
Which side are you on?• « Risk Management is Dead …
Long Live Risk Management »
Tastes Great!
Less Filling!
Thursday, April 29, 2010
Pete Lindstrom
« We have already solved the problem of Risk Management over 200 times, the problem is that we don’t know which one is right. »
Thursday, April 29, 2010
Question Group 1Question Answe
rWhat year was George Washington born?
?
How many countries are in South America?
?
How many calories in a In-n-Out Double-Double burger?
?
What year was Diet Coke invented?
?
How many elements are in the periodic table?
?
Thursday, April 29, 2010
Variance?
• Upper bound• Lower bound• Range (Upper – Lower)• Standard deviation
Thursday, April 29, 2010
Question Group 1Question Answe
rWhat year was George Washington born?
1732
How many countries are in South America?
13
How many calories in a In-n-Out Double-Double burger?
670
What year was Diet Coke invented?
1982
How many elements are in the periodic table?
102
Thursday, April 29, 2010
Question Group 2Question Answe
rHow many languages are available on Flickr.com?
?
How many breach incidents were reported by DatalossDB in 01/10?
?
When did Arnold Palmer first win the PGA Masters Tournament?
?
How many minutes do Facebook users spend on the site / month?
?
How many contributors to the Encyclopedia Britannica in 2008?
?
Thursday, April 29, 2010
Variance?
• Upper bound• Lower bound• Range (Upper – Lower)• Standard deviation
Thursday, April 29, 2010
Question Group 2Question Answe
rHow many languages are available on Flickr.com?
8
How many breach incidents were reported by DatalossDB in 01/10?
35
When did Arnold Palmer first win the PGA Masters Tournament?
1958
How many minutes do Facebook users spend on the site / month?
500b
How many contributors to the Encyclopedia Britannica in 2008?
4,411
Thursday, April 29, 2010
Question Group 3Question Answe
rWhat percentage of all malicious code will be executed in 2012?
?
How many bugs are there in Windows Vista?
?
What is the chance a Wikipedia article will contain an error?
?
How long will it take for an average computer to be p0wned in 2015?
?
What is the air speed velocity…
?Thursday, April 29, 2010
Unknown-Unknowns
• Known Knowns (KK)– People in this room now
• Unknown Knowns (UK)– Population of the earth
• Known Unknowns (KU)– The day I will die
• Unknown Unknowns (UU)– Which risk management is
right for you…Thursday, April 29, 2010
To Know“kennen” vs “wissen” « kennen » :: to know a fact– KK, UK, KU, UU
« wissen » :: to know a concept– KK, UK, KU, UU
Thursday, April 29, 2010
Concepts vs Domains « Concepts »
– an abstract or generic idea generalized from particular instances
« Domain »– a sphere of knowledge,
influence, or activity
Domains contain Concepts
Thursday, April 29, 2010
Adam Shostack
« What the industry needs it more data in order to form proper conclusions »
Thursday, April 29, 2010
I got your “more data”!
Thursday, April 29, 2010
Donn Parker
Due to the unknown-unknown number of data breaches, any data set we collect may be too small to statistically analyze data.
« Risk-based security is impossible »« Dilligance-based security is what we need »
Frequent-ism
Thursday, April 29, 2010
Parker-nomics• Risk based approaches are
nothing more than data alchemy
• There is simply not enough public data available to make any sort of statistically significant conclusion when you assume that the entire population of data breaches or security failures (realistically unknown) is vastly larger
Thursday, April 29, 2010
Rogue Device Detection(Sampling?)
Example
Thursday, April 29, 2010
Diligence-based Model• Diligence to avoid negligence• Compliance to meet or exceed
requirements of regulations, laws, and standards to avoid penalties
• Enablement to meet business and budget needs
« generally agreed upon best practices »
https://www.issa.org/Library/Journals/2008/January/Parker-A%20Diligence-Based%20Idealized%20Security%20Review.pdf
Thursday, April 29, 2010
Alex Hutton
Probability is a probable term…« Governance without metrics and
models, is superstitian »« Governance with metrics and models ,
describes capability to manage risk »
Bayesian-ism
Thursday, April 29, 2010
Hutton-nomics• Risk management: Time to
blow it up and start over?• Evidence-based risk
management– Deconstructed, notional view
of risk• Metrics based management,
governance, and risk– Failure if lack of data
Thursday, April 29, 2010
Managing Risk
« Managing risk means aligning the capabilities of the organization, and the exposure of the organization with the tolerance of the data owners »
- Jack Jones
Thursday, April 29, 2010
Managing Risk
« Risk management may be hard (or even impossible)…… but we all manage risk »
- Me
Thursday, April 29, 2010
Spheres of Expertise
You don’t know everything« We > You »
Practitioners don’t know everything « Experts > Practitioners »
Next up… « Reputational weighted value »
Success = more detailed info, per domain
Thursday, April 29, 2010
Thursday, April 29, 2010
Thursday, April 29, 2010
Domains of Knowledge Expertise
Thursday, April 29, 2010
Sounds simple? Nope« Education, education,
education »
« Flexibility of Domains »
« More data (per domain) for risk modeling »
Thursday, April 29, 2010
Conclusion
« Seek first to understand and then to be understood »
« Holistic information security »« Intra-connectedness of domains drive
value of (risk) data »
Thursday, April 29, 2010
