FireStarter: The Grand Unified Theory of Risk Management

I would say that your statement (1) is not true due to the fact that accurate prediction is never possible in any kind of risk framework. Even the large distributions for car insurance will give you only an average estimate on the losses (claims) over a given period of time.
Your statement (2) is really interesting: It contains the statement that only a risk framework, which has been completely integrated and executed in an organisation is valuable. I would agree to this partially, if you leave the option that a loss in an area without a risk assessment might have been skipped due to resource restrictions or risk exposure considerations. This area should certainly be assessed next.

Oliver,

I think 1 is still very relevant- if you use a risk management framework, and it is unable to consistently predict losses with any degree of accuracy, why use it? I’m not saying it needs to hit it on the nose, but it should be within the ballpark. This should be an aggregate- I’m not assuming every single loss event will match up with the estimate, but if it’s below 80% or more, I think we’re wasting our time with the framework.

For 2 the point is that your program has to have a way of being able to capture incidents, then compare them to predictions. If you aren’t doing that, your framework exists in a vacuum and is, again, probably worthless.

Please take my comments lightly as we don’t formally practice risk management in my company, and I’m kinda firing off the cuff.

Does this model of risk management act just like car safety? For instance, you do nothing but try to predict occurence of losses and track when they happen. And only when you realize losses do you measure the affect against the costs of managing it, and only then decide whether to continue to accept the losses or do something about it?

It would seem to me that once you predict losses, do something to affect that occurence (normal security measures), then you’re only going to realize you predicted correctly if you can demonstrate and capture *deflected* attacks. I’m not sure you can really do that without quite a bit of effort and guesswork.

Am I trying to include too much into this?

Of course, maybe that’s the whole point and art of risk management. :)

One thing that I think hurts risk management is the relatively small number of meaningful incidents that occur. Even over 10 years, it is hard to predict or make inferences based on a couple Albert Gonzalez’s running around. And it doesn’t help that I still believe a huge majority of security incidents are not reported anywhere…even internally.

Fine, I’ll bite.

False. 

Statements of probabilities are belief statements.  The value of assessments that are on target are not as self-evident as you state (without knowing how lucky you are - which you don’t). 

Conversely, the value of off-target assessments can be informative.  If you’ve done an adequate job arriving at a logical posterior statement (model selection, parameter estimation) and you can prove it false, then your model is broken.  Understanding this can be more important than even a valid model result (for obvious reasons).

@Oliver- *accurate* belief statements about a state of risk are certainly possible.  *Precise* ones?  Depends (but in infosec, no, not usually).

The day the risk management management gods don robe, turban and consult their crystal ball is the day predictability becomes reality.

Lest we all become actuarial in our thinking and process, risk is just statistical probability based on known factors. In the IT security world where is are more holes than an underwear bomber’s manties, so measuring risk and damage, even in the most “secure” environments today, is more magical than mathematical.

Measuring loss I’ll will leave to the bean counters, who are quite adept and manipulating figures to commercial advantage. As for REAL risk management, I say that this is purely a matter of managing people. More often than not we build infrastructure and process statically and pray that they’ll bear the load of operations. In fact, most efforts focus on balancing operational fluxes from internal and external use. People are the real risk. People are unpredictable. People make boo boos which in and of themselves can have rather dramatic consequences. Are these predictable? Hell no. Thus, try as we might, the idea of measuring risk will continue to be argued ad nauseum with no conclusion. Losses will continue and people will continue to be employed trying to assuage management guilt. But therein is the gold that by perpetuating the discussion we all have something to debate.

Loner,

In every risk framework there are risks you don’t mitigate. These are the ones I think we can measure, although we should be able to also capture at least some of the deflected/blocked incidents.

Alex,

We can compare not only probabilities, but also experienced losses. Any risk incidents you experience should be able to be compared to your assessment, and if it isn’t in the ballpark you have a problem. I set this up to only use the positive, experienced risks, since I agree completely we can’t measure the negative.

Or am I missing your point?

And yes- off-target is also a great tool.

@Rich - “experienced losses. Any risk incidents you experience should be able to be compared to your assessment, and if it isn’t in the ballpark you have a problem.”

Unless you subscribe (which I do) to the notion that reputation and trust are part of the impact equation.  Then you’ve got *probable* losses.  These are imprecise measurements of relatively unknowable conditions where you have to use shadow measurements as evidence, like judging how good a fielder is in baseball.  In baseball, the concept of defense exists.  A good description of how good any particular player is at fielding consists of several difficultly measured shadow indicators (glove, arm, jump, range…).  The result becomes a posterior calculation (http://www.fangraphs.com/blogs/index.php/glossary/ has a list of a few) that isn’t authoritative like a measurement in classical physics, but it (and maybe among several models) can be a “tell”.

All that to say, you’re not going to be able to engineer a loss magnitude, for exact, precise comparison either.  But like frequency, you can get a useful range if you remain pragmatic. 

Also, I planned on blogging about the two today, but it’s worth noting that we’re assuming a risk model that deals in financial impact (freq x dollars), “threat risk models” (likelihood of hack type x C/I/A) are also valid but involve a different set of discussions.

It’s good to have a way to evaluate frameworks.

Here’s my simple rule: Any framework is valuable to the extent that it helps you make better decisions than you could without it, and also to the extent that it helps you communicate and implement those decisions successfully.

Regarding risk management frameworks, we should acknowledge that there are at least two types:

1) Those that enumerate “risks” (plural) and rate, rank, or evaluate those risks along some scales of severity and likelihood.

2) Those that attempt to estimate “risk” (singular) as a probabilistic estimate of total losses (or total costs, which includes both security costs and security losses).

Each of these types has pros and cons, and has somewhat different uses, and should probably be judged somewhat differently.

Type 1 is the most commonly implemented in practice. 

For either type, it’s questionable as to whether any risk management framework attempts to “predict” anything, where “predict” is equivalent to a forecast, which picks out one set of outcomes as mostly likely and discards the rest.

Instead, I think what *good* risk management methods do is to help you make investments and commitments according to a “betting man’s criteria”, in the face of radical uncertainty.  You place your bets NOW based on what you know NOW by comparing alternative bets (investments, designs, policies) and choosing the set that you (the betting man) believes will incur the lowest losses in the future in the probabilistic loss scenarios.

It’s not a prediction, because the most likely scenario may not come to fruition.  We might not even have a good basis to select a single scenario as “most likely”.

For example, let’s say your company is in the “critical infrastructure” and your risk analysis includes various “cyber war” scenarios, but you can’t decide how to evaluate their likelihood.  You can still choose a portfolio of actions that help cover some of the cyber war scenarios, as a kind of “hedging strategy”. 

There are ways to formalize this and make it quantitative, but it’s not always necessary if the framework is set up right.

Going back to Rich’s proposed evaluation criteria, I’d modify it this way:

1)Any risk management framework is only as valuable as the degree to which actual losses experienced by the organization do not result in *radical revisions to risk assessments* (likelihood and severity).

Comment: Following Alex’s comments, risk assessments establish *beliefs* about risk.  Actual events provide *evidence* that give you the opportunity to revise those beliefs.  If you did the risk assessment well in the first place, then new evidence shouldn’t result in *radical* revisions in beliefs.

2) A risk management program is only as valuable as the degree to which its loss events can be compared to risk assessments.

Comment: This is OK as written, but it’s a pretty low bar.

Alex,

I think we’re close to agreement- we need some way to evaluate if the framework gets us in the ballpark. I think this criteria works for qualitative or quantitative approaches- in large part because I believe if you take a qualitative approach, you still need to define key indicators for your low-high (e.g.- for reputation, you could tie it to something like, “sustained negative press in major media”.).

I think the threat risk models also need to hold to this standard, with modification. Again- with *any* framework we are modeling risk, and those models should resemble what we experience with some degree of accuracy.

Russell,

If I replaced “predict” with “model” would that help?

I like your modification to 1, but I think “radical revisions” might be too high a bar. I need to think about it some more.

For 2, I actually think it’s a high bar. I’ve seen very few programs where experienced risk events are then fed back and compared with the model as part of a formal process. There is the risk modeling, but no process in the program to reevaluate the modeling process with actual risk events.

At least in the IT security world. At best, it’s an annual exercise. This it might seem a low bar, but how many orgs do you know that actively feed back into the process?

(That’s a serious question- you might know more examples than I do).

@Rich

Yeah, “model” is better than “predict”.  But “model” needs to be understood on two levels.

The first is our model of the phenomena.  That gives us the “answers”, namely which set of actions are best suited to the future scenarios.

The second level is our model of our knowledge and our uncertainty.  We may have fuzzy information, incomplete information, partially-reliable information, context-sensitive information, contradictory or paradoxical information, etc.  No matter how much data or information we collect, we will have a messy pile.  We need to model the quality of that information to know how much confidence to place on any outputs of the Level 1 model, and to know where to invest to improve it.

Regarding whether #2 is a high bar or low bar, I agree that many (most?) organizations don’t do it.  Shameful!  But doing it isn’t hard and won’t, by itself, assure you that your risk management framework is worthwile.  It will only help you decide, based on real-world evidence, how bad it is and where you need to improve it.

So I call it a low bar because anyone can do it, and it will help everyone, but it’s not a very high standard to hold up.

Russ

@Rich

I used the phrase “radical revisions” on purpose.

Because risk models for InfoSec are organized beliefs about a highly-uncertain future, they will always be wrong or incomplete to some extent.  As events happen, you get “evidence” that leads you to revise your beliefs.  If you *never* revise, then something is very wrong, because you’ve stopped learning, or else something radical has happened to the threat landscape to make it (suddenly) static and not dynamic and strategic.

A “radical revision” is a major structural change to a risk model.  Imagine a risk model that included only external threats, and also excluded combined cyber+physical threats.  BAM!—you get a major insider breach of confidential information.  Now you have to go back and make radical changes to your threat model to incorporate insiders, cyber+physical, and so on.

In contrast, if that same insider breach causes you to revise upward your estimate of likelihood or severity, but otherwise the structure of your models stays pretty much the same, then I’d call that normal, healthy, expected learning.

There’s another phrase that comes to mind to judge InfoSec risk management frameworks:

“MinMax” = minimize maximum regret

It’s a term out of game theory, but stripped of the formal and mathematical trappings, it simply means this:

“Choose the strategy that will lead you to experience the LEAST regret (a downside loss that you *wished* you could have avoided), given the possible and probable set of outcomes, and based on your best current understanding.”

In practice, it coud translate to this simple procedure:

1. For each scenario, if it DOES happen, and we experience losses, what will we regret if we haven’t done it?

2. As time goes by, and we experience loss events, what do we regret not doing? 

(Repeat)

Any good risk management framework will help you through this exercise.  Any crappy framework will hinder you or be irrelevant.

Russell,
Your descriptions are closer to my experience implementing the annual process to prioritize risks (taking into account real incidents and evidence) and driving investments the profit centers support.
Rich,
I think you can raise the bar. I suffer from selection bias but most folks I work with have a quarterly or annual process. They’re informal and not as effective as they should be but the foundation is there. It’s time to raise the bar.

In addition to Russell’s points, I’d add the model needs to be effective in a sustained process (no pan flashes). Attributes:
- easy to input evidence, it doesn’t need to be automated
- facilitate debate between stakeholders (incorporate subjective experience with evidence)
- incorporate the business units view of un/acceptable impact: infosec should frame the questions and risk scenarios, work with the profit centers to assign non/monetary definitions for impact levels. Compare to incidents later.
- clearly show spending priorities mapped to risks
- show how non-security drivers affect risk un/acceptance
- show actual vs. predicted risk reduction given investment. Actual risk reduction should contain subjective-expert opinion (experience plus evidence).

I use to tell my teams: embrace the subjectivity, just back it up with evidence…

Great topic!

To bait the crowd a bit more, how do we factor in cost to populate and maintain the model? Assuming Alex’s contention that applicable risk models will focus on financial impact, how much can/should an organization spend to actually build this model.

Kind of like asking if it makes sense to spend $100,000 to protect a $5,000 application or data set.

Models are relatively cheap to build. Though probably not as cheap as they need to be for wide-spread adoption. Keeping them populated and updated, not so much. It’s the old total cost of ownership quesiton.

So what says the crowd on this?

Love the “FireStarter” concept, plus the title alone is enough to reach for a fightin’ stick.

I like how Alex mentioned luck, Say you “predict” a $10 loss and you loose $8, or $7, is that success, failure or an act of randomness?  What if it did match $10, is that just being lucky?  I don’t think given just the 2 criteria here that we’d be able to answer that question.

But let’s break this down, you’re trying to “propose a way to evaluate the value” of something, in this case the myth of risk management.  The two statements put forth here are basically trying to prove (or disprove) the hypothesis put forth by risk assessments.  Stated like that we’ve got many paths we could follow on the discussion…

From everything I’ve seen the underlying question being put forth is critical and largely out of scope in risk management programs.  How can we determine the value (and therefore the success/failure) of our risk management program?  Any critical part of a (good) decision process (and risk is all about decisions) is getting feedback to improve the decision process.  Perhaps a better question is when is this going to be integrated into the frameworks prior to implementation?  It’d be cool if all risk assessments methodologies did this:

1) Here’s a way to assess risk
2) Here’s a way to evaluate the efficacy of assessed risk
3) Here’s how to tweak Step 1 based on Step 2

Sign me up for that. 

To Mr. Rothman’s last comment, I’m not convinced that the average company can maintain costs and do step 1 correctly let alone implement the needed steps 2 and 3.  I’d argue that the whole package is needed if the TCO is manageable.

Tasty bait. The material cost is internal labor to run the program vs. start it. 
How valuable is a proactive vs. reactive team to the business? In large orgs I’ve seen >2 FTE equiv spent on running the program plus periodic meetings with SMEs and managers. In smaller shops <.5 FTE.
If the team doesn’t produce the evidence needed for the model they have larger challenges. Evidence as in metrics, penn work, internal and external incidents.
In my last gig (110 FTE in infosec including ops), we had 1 mngr and 1 SME coordinate data collection and reporting quarterly-ish with more effort annually to support portfolio planning, aka excel mud wrestling.

Disclosure: I now make and sell a risk/spend model application. The keys to success are the process and evidence. Our price point is driven by the time saved for teams to run a repeatable service.

@jay and @jared,
See both your points, though I guess the bait was meant to get to one of my more tasty contentions, which is that most risk management efforts aren’t worth the effort. Which is another FireStarter and a much longer discussion probably for another day.

To Jay’s point, I’d say it’s not just the average company that is having trouble tracking the costs and quantifying loss. I’d say a company with that data is an outlier.

To Jared’s point, I’ve found it VERY hard to quantify over time the benefit of proactive vs. reactive. For huge organizations, making an investment in data collection and reporting is reasonable. But that doesn’t mean those numbers are being pumped into a risk model that makes sense or is relevant to the business.

Clearly more art than science, and in any case, the risk model MUST be built and communicated to senior management within the structure of a much larger security program.

The model is not the end, but the means to justify what the program is doing. And there are likely other ways to justify the value of security without a risk model.

If you understand risk management in probabilistic terms then measuring predictions against actual results may not suffice to invalidate a model, in the same manner that you wouldn’t invalidate meteorological forecasting models because they failed to predict yesterdays or all of last month’s. I think this is in line with Alex’s comment above.
Also, you seem to imply that the risk model should be applicable primarily within our own organization rather than horizontally or vertically across many. A risk model that that provides a reasonable level of confidence that your posture will be comparatively better than your competitor’s doesn’t need to accurately predict your losses…you don’t need a model that will help you outrun the lion, just one that will help you outrun most of your buddies.

Besides, you are implicitly assuming that any risk model should be one that is predictive on losses which seems intuitive from a defender’s standpoint but not necessarily the only approach, especially if opportunity costs for both attackers and defenders are factored in.

@mike
Just discovered a great article from Douglas Hubbard, “Analysis Placebos” and he’s got a quote applicable to your last statement on most risk management efforts aren’t worth the effort.

[In wishing that some decision analysis tools came with a warning] ... “Side effects include a complete waste of time and money and, in some cases, decisions may be worse than what unaided intuition would have yielded.”
(http://viewer.zmags.com/publication/2d674a63#/2d674a63/18)

I think any risk model needs to include, or at the very least, consider how to get and interpret feedback.  The topic of being worth the cost, while incredibly relevant, might be a more mature question than most risk models are capable of considering at this point.  It’s once we understand how to do risk management in the first place that we can talk about making cost effective.  Trying to do both at the same time might be counter-productive (though unrealistic to not consider cost effectiveness).

Russell-

Love MinMax… can you please go blog it before I steal it?

ivan,

If we are using a framework where we are unable to, over time, compare our actual events and losses to those predicted, why are we wasting our time? If the weather prediction isn’t (ever) in the ballpark, then it’s completely useless.

As for taking a loss focus- all risk frameworks are about managing loss or the potential for loss, thus my use of that term. We could also (and should) evaluate risk events, and when there are events whether or not our controls were effective.

@rich
1. If we are using a predictive system that isn’t ever in the ballpark but is consistently better than everybody else’s predictions then I could argue that we are not entirely wasting our time.
2. All risk frameworks are about managing loss but only if you are considering cost of opportunity and loss of revenues as part of “managing loss”. Financial risk management models are about “managing loss” but relative to 0-risk gains (T-bonds)