Login  |  Register  |  Contact

Security Controls vs. Outcomes

One of the more difficult aspects of medical research is correlating treatments/actions with outcomes. This is a core principle of science based medicine (if you've never worked in the medical field, you might be shocked at the lack of science at the practitioner level).

When performing medical studies the results aren't always clean cut. There are practical and ethical limits to how certain studies can be performed, and organisms like people are so complex, living in an uncontrolled environment, that results are rarely cut and dried. Three categories of studies are:

  • Pre-clinical/biological: lab research on cells, animals, or other subsystems to test the basic science. For example, exposing a single cell to a drug to assess the response.
  • Experimental/clinical: a broad classification for studies where treatments are tested on patients with control groups, specific monitoring criteria, and attempts to control and monitor for environmental effects. The classic double blind study is an example.
  • Observational studies: observing, without testing specific treatments. For example, observational studies show that autism rates have not increased over time by measuring autism rates of different age groups using a single diagnostic criteria. With rates holding steady at 1% for all living age groups, the conclusion is that while there is a perception of increasing autism, at most it's an increase in diagnosis rates, likely due to greater awareness and testing for autism.

No single class of study is typically definitive, so much of medicine is based on correlating multiple studies to draw conclusions. A drug that works in the lab might not work in a clinical study, or one showing positive results in a clinical study might fail to show desired long-term outcomes.

For example, the press was recently full of stories that the latest research showed little to no improvement in long-term patent outcomes due to routine mammograms for patients without risk factors before the age of 50. When studies focus on the effectiveness of mammograms detecting early tumors, they show positive results. But these results do not correlate with improvements in long-term patient outcomes.

Touchy stuff, but there are many studies all over medicine and other areas of science where positive research results don't necessarily correlate with positive outcomes.

We face the same situation with security, and the recent debate over password rotation highlights (see a post here at Securosis, Russell Thomas's more-detailed analysis, and Pete Lindstrom's take).

Read through the comments and you will see that we have good tools to measure how easy or hard it is to crack a password based on how it was encrypted/hashed, length, use of dictionary words, and so on, but none of those necessarily predict or correlate with outcomes. None of that research answers the question, "How often does 90 day password rotation prevent an incident, or in what percentage of incidents did lack of password rotation lead to exploitation?" Technically, even those questions don't relate to outcomes, since we aren't assessing the damage associated with the exploitation (due to the lack of password rotation), which is what we'd all really like to know.

When evaluating security, I think wherever possible we should focus on correlating, to the best of our ability, security controls with outcomes. Studies like the Verizon Data Breach Report are starting to improve our ability to draw these conclusions and make more informed risk assessments.

This isn't one of those "you're doing it wrong" posts. I believe that we have generally lacked the right data to take this approach, but that's quickly changing, and we should take full advantage of the opportunity.

—Rich

Posted at Tuesday 8th December 2009 11:16 am Filed under: science based securityskepticism

Previous entry: Possibility is not Probability | | Next entry: DNS Resolvers and You

Comments:

If you like to leave comments, and aren't a spammer, register for the site and email us at info@securosis.com and we'll turn off moderation for your account.

By Russell Thomas  on  12/08  at  02:14 PM

(I’m getting to like you more and more, too!)

The InfoSec community isn’t alone in facing this challenge.  The Intelligence community faces very similar problems, but they have the advantage of having many more people chewing on it, working for a long time, with very advanced techniques.

Here’s one example: “Formal Methods of Countering Deception and Misperception in Intelligence Analysis”.  http://www.au.af.mil/au/awc/awcgate/ccrp/2006iccrts_countering_decep.pdf

They present and critique the “Analysis of Competing Hypothesis” method (similar to the one described in my post), and then augment it with a formal belief logic called “Subjective Logic” to deal with all sorts of uncertainty in the cause-effect relationships between controls and outcomes, and also sources of data, messiness of data, etc.

I may digest this into a tutorial presentation for the spring Mini-Metricon workshop in San Francisco.  Good idea?

By Chris Hayes  on  12/08  at  03:32 PM

Hi Rich. A few thoughts… 

Quantitative risk assessments – depending on the methodology – should account for estimating the “loss magnitude” factors of risk – otherwise how can you perform a proper risk assessment to begin with? Second, security practitioners have to be very careful about the vernacular we are using. In the context of risk quantification – we should not see ourselves as risk ($ loss) prediction makers – but practitioners that can make or collect reasonable estimates of loss forms associated with a loss event. Most often, we are not the most qualified to make these estimates. Thus, our ability to reach out to those that know facts or can make reasonable estimates is a key differentiator between security professionals and risk management functions at large. Finally, I am pleased to see GRC apps that are incorporating the ability to link loss events to known controls that were compromised as part of incident management. This allows security professionals to quickly observe when risks (control gaps) they are identifying have been related to previous loss events.

By Russell Thomas  on  12/08  at  03:48 PM

@Chris Can you name specific GRC apps “that are incorporating the ability to link loss events to known controls that were compromised as part of incident management”??  I want to follow up on that.

Also, do you know any GRC apps that do *prospective* risk analysis using this information?

By Rich  on  12/08  at  04:04 PM

Chris,

I agree (and you can read some old posts)- no way does it all come down to $s. But I think it definitely is in our control to at least correlate a security control with an incident/event, and a qualitative assessment of the nature of that event.

You might agree with that point… let me know if not.

By Chris Hayes  on  12/08  at  04:43 PM

@Russel – Archer Technologies includes a loss event repository in their “risk management” solution framework (no, I do not work for Archer, nor do I (nor my employer use their product). The loss event tracking “feature” does not consortium loss event data, but allows the company using the app to record their loss events and link to controls that were found to be compromised as part of the incident investigation.

@Rich – Thank you for the follow-up. We may be splitting hairs on terminology, but correlation means something different to me from a numerical analysis / modeling / statistical relationship perspective - then maybe what you are thinking of. I agree that whenever possible, we should determine root cause when it comes to incident investigation and leverage that information for assessing “new risks” and prioritizing risk mitigation funding / strategies. There are some aspects of information security you might be able to correlate with a reasonable degree of confidence. For example, threat event frequency of script kiddies / malicious spam during the holiday seasons. But you would need some very good data to correlate that when X happens it strongly results in a Y event. This is a developing area of analysis from my perspective; I hope I can go down some of these rabbit holes in my current role (e.g. do opportunistic thefts of electronic data processing equipment rise during a recession thus resulting in increased data breaches).

By Rich  on  12/08  at  04:52 PM

Chris-

I think we’re close. I do mean root cause analysis, but also prevention analysis. In what number of incidents do we see X control preventing an event (when we can gather the data), or not preventing an event.

Observational studies- in what percentage of incidents would password rotation have prevented the incident? It’s not completely a predictor, but still useful.

By Marc Farnum Rendino  on  12/09  at  04:42 AM

Spaf had a lot of good things to say on the subject recently <http://www.cerias.purdue.edu/site/blog/post/password-change-myths/> - especially about password change policies and how they, once actually analyzed, generally do not increase security, but do the opposite.

Page 1 of 1 pages

Name:

Email:

Remember my personal information

Notify me of follow-up comments?

Submit the word you see below: