Alex Hutton has a wonderful must-read post on the Verizon security blog on Evidence Based Risk Management.
Alex and I (along with others including Andrew Jaquith at Forrester, as well as Adam Shostack and Jeff Jones at Microsoft) are major proponents of improving security research and metrics to better inform the decisions we make on a day to day basis. Not just generic background data, but the kinds of numbers that can help answer questions like “Which security controls are most effective under XYZ circumstances?”
You might think we already have a lot of that information, but once you dig in the scarcity of good data is shocking. For example we have theoretical models on password cracking – but absolutely no validated real-world data on how password lengths, strengths, and forced rotation correlate with the success of actual attacks. There’s a ton of anecdotal information and reports of password cracking times – especially within the penetration testing community – but I have yet to see a single large data set correlating password practices against actual exploits.
I call this concept outcomes based security, which I now realize is just one aspect/subset of what Alex defines as Evidence Based Risk Management.
We often compare the practice of security with the practice of medicine. Practitioners of both fields attempt to limit negative outcomes within complex systems where external agents are effectively impossible to completely control or predict. When you get down to it, doctors are biological risk managers. Both fields are also challenged by having to make critical decisions with often incomplete information. Finally, while science is technically the basis of both fields, the pace and scope of scientific information is often insufficient to completely inform decisions.
My career in medicine started in 1990 when I first became certified as an EMT, and continued as I moved on to working as a full time paramedic. Because of this background, some of my early IT jobs also involved work in the medical field (including one involving Alex’s boss about 10 years ago). Early on I was introduced to the concepts of Evidence Based Medicine that Alex details in his post.
The basic concept is that we should collect vast amounts of data on patients, treatments, and outcomes – and use that to feed large epidemiological studies to better inform physicians. We could, for example, see under which circumstances medication X resulted in outcome Y on a wide enough scale to account for variables such as patient age, gender, medical history, other illnesses, other medications, etc.
You would probably be shocked at how little the practice of medicine is informed by hard data. For example if you ever meet a doctor who promotes holistic medicine, acupuncture, or chiropractic, they are making decisions based on anecdotes rather than scientific evidence – all those treatments have been discredited, with some minor exceptions for limited application of chiropractic… probably not what you used it for.
Alex proposes an evidence-based approach – similar to the one medicine is in the midst of slowly adopting – for security. Thanks to the Verizon Data Breach Investigations Report, Trustwave’s data breach report, and little pockets of other similar information, we are slowly gaining more fundamental data to inform our security decisions.
But EBRM faces the same near-crippling challenge as Evidence Based Medicine. In health care the biggest obstacle to EBM is the physicians themselves. Many rebel against the use of the electronic medical records systems needed to collect the data – sometimes for legitimate reasons like crappy software, and at other times due to a simple desire to retain direct control over information. The reason we have HIPAA isn’t to protect your health care data from a breach, but because the government had to step in and legislate that doctors must release and share your healthcare information – which they often considered their own intellectual property.
Not only do many physicians oppose sharing information – at least using the required tools – but they oppose any restrictions on their personal practice of medicine. Some of this is a legitimate concern – such as insurance companies restricting treatments to save money – but in other cases they just don’t want anyone telling them what to do – even optional guidance. Medical professionals are just as subject to cognitive bias as the rest of us, and as a low-level medical provider myself I know that algorithms and checklists alone are never sufficient in managing patients – a lot of judgment is involved.
But it is extremely difficult to balance personal experience and practices with evidence, especially when said evidence seems counterintuitive or conflicts with existing beliefs.
We face these exact same challenges in security:
- Organizations and individual practitioners often oppose the collection and dissemination of the raw data (even anonymized) needed to learn from experience and advance based practices.
- Individual practitioners, regulatory and standards bodies, and business constituents need to be willing to adjust or override their personal beliefs in the face of hard evidence, and support evolution in security practices based on hard evidence rather than personal experience.
Right now I consider the lack of data our biggest challenge, which is why we try to participate as much as possible in metrics projects, including our own. It’s also why I have an extremely strong bias towards outcome-based metrics rather than general risk/threat metrics. I’m much more interested in which controls work best under which circumstances, and how to make the implementation of said controls as effective and efficient as possible.
We are at the very beginning of EBRM. Despite all our research on security tools, technologies, vulnerabilities, exploits, and processes, the practice of security cannot progress beyond the equivalent of witch doctors until we collectively unite behind information collection, sharing, and analysis as the primary sources informing our security decisions.
Seriously, wouldn’t you really like to know when 90-day password rotation actually reduces risk vs. merely annoying users and wasting time?
Reader interactions
8 Replies to “The Cancer within Evidence Based Research Methodologies”
Rich, thanks for the shout-out. Excellent post, too.
I see two primary obstacles preventing effective evidence-based security research from becoming more widespread.
First, the vendors. They continually promise effortless, bulletproof protection; a world where nobody is ever infected and no technical controls ever fail. It astounds me that no anti-malware vendor voluntarily publishes infection rates of their customers. That McAfee and others could spin the clear and obvious failure of their products in stopping the Advanced Persistent Chinese into evidence of “thought leadership” beggars belief. But in fairness, many customers expect perfection. A true evidence-based mindset would encourage honest inquiry into root causes. (Boy, I must be chanelling Peter Tippett today.)
Second, we have an overly cautious, litigation-fearing business culture that discourages information sharing. I’ve concluded that the only way most enterprises will share is if they are compelled. This is exactly why the DataLoss DB, for example, is so valuable. What is needed is a “safe harbor” that shields shared information from suit
Learning from other disciplines is great. Medicine is quite a good one since it involves humans, and all the baggage that brings – the human factor.
On passwords… there are a two timely reports with some interesting data:
Where Do [Password] Security Policies Come From?
http://research.microsoft.com/apps/pubs/?id=132623
The password thicket: technical and market failures in human authentication on the web
http://weis2010.econinfosec.org/papers/session3/weis2010_bonneau.pdf
which I am planning to blog about on Friday, but make sense to mention here. Like medicine, many different factors can contribute to the evidence about what is risky and what is not. In Evidence-Based Risk Management I’m concerned organisations might take less heed of the risk to their customers, clients and citizens rather than risks to the business itself.
Robert,
There is a ton of hard data to back medical practices, but many physicians sometimes rely on anecdotal experience in formulating treatment methodologies. Experience is extremely important, but I was trying to highlight how experience and data need to align in practice, and the challenges involved.
Changing what you believe to be true based on new evidence is never easy.
Thus I think we agree there is plenty of hard data for medicine… but I think we can also agree it would be great if we can get more, and one big challenge in EBM is gaining physician participation (never mind all the technology issues, which are also pretty bad, especially considering the sorry state of much EMR software).
Turning to your concerns over western studies, you fall into a few logical fallacies. Science is matter of incremental consensus- we shouldn’t make any major decisions over any single study, and it takes years of research at different levels for a clear(er) picture to emerge.
As for acupuncture, there have been studies that disprove it’s effectiveness, and no studies that prove it is effective (you can look these up, and there’s some good coverage at http://www.sciencebasedmedicine.org/). It fails on three primary levels:
1. There is no scientific basis for the mechanism of action. “Meridians” and such are magical beliefs and no one has ever presented a testable hypothesis as to how acupuncture works.
2. There are no credible studies proving the effectiveness of acupuncture. Neither lab based or patient (double blind/controlled).
3. There are credible/controlled studies that show that acupuncture offers no more than the placebo effect.
Success is easy to measure- if acupuncture makes a claim for a health benefit, we test that claim.
First, I am a fan of the checklist manifesto also. I liked how he brought some ideas from the architecture and construction world into medicine. A little cross-pollination is good. And science worked very well for Clifford Stoll, using a little astrophysics knowledge, in those bygone days, to figure out where his attacker was located.
So interesting ideas, however, there seems to be a bit of a contradiction in this post. There’s little “hard data” to back medical practices, yet apparently enough to discredit acupuncture?
I’d tend to disagree with the latter, and agree somewhat with the former. Alternative medicine is lacking in “hard data”, but certainly not mainstream, western medicine. Just take a look at the mountains of data and massive studies used to support various drugs.
I happen to have some understanding of the difficulties western science has in measuring the benefits of practices like acupuncture (which includes herbs), yoga, etc. The issue is that it is very difficult to create studies because they can’t be simply plopped into a western-style study. How do we measure success? What data do we capture? How do we pigeonhole something we barely understand so it fits our world view? For starters, westerners do not even have a basic understanding of acupuncture. Witness a web site out there that has an MD (actually a psychiatrist – hmm) in which he takes the pulse of a patient, after an acupuncturist has looked at the patients tongue and listened to their pulse. “The patient’s pulse is fine!” Unfortunately, this “MD” has no idea what he is talking about and lacks a basic understanding of the principles of acupuncture. Any study by him might discredit acupuncture, but it would be flawed from the start.
So this issue, disinformation, promulgated by the establishment, the “get of my grass, you kids”, is one problem the security industry might face also, with stakeholders such as large security companies making sure their answer is the “right” one.
Even western studies have their own problems, i.e. now trans fat is bad for us, before butter was bad, now it’s not so bad. Woody Allen conveyed this issue simply in Sleeper, where the doctors are strolling through in the future, munching on donuts “you see Woody, what we all thought was good for us, we know know is bad for us, and vice versa”. Nor is this limited to medicine of course. Before working as a programmer, I spent sometime in doing research in the area of civil engineering and geology, and I can assure you that scientist A can come up with a completely different opinion from scientist B, and a wealth of data to prove it. It’s never as simple, especially when lawyers and money are involved.
I also disagree with the point that we don’t have any data already. Surely there is *some* data out there that can be used. Take the password example. In fact, we have better information than mere studies, we have real world data, consider the morris worm, which used a dictionary attack, among other techniques, with a 30% success rate. So yes, there is data, whether it has been collected and analyzed is another thing. But one good thing security is a vastly simpler area than medicine to understand and interpret.
To close, I’m not sure if this is a complaint against medicine, or software security. Surely we are all not mere witch doctors? On the other hand, if we could boil this all down to bits and bytes, and shove it into some artificial intelligence or rules engine, we really wouldn’t need any security experts would we? We would just need a copy of “Security Hero”, and we’d all be salespeople.
Somehow, there will always be a balance between the left side/right side of the mind. The latest thing now in software engineering, lean engineering, is looking at the eco-system. Sounds a bit “holistic” doesn’t it? As Roger Waters so well put it, long before the days of Guitar Hero, in the documentary Pompeii, not anyone can simply pick up a synthesizer and play great music.
Andy,
No argument there- medicine is light years ahead of us.
I can’t really quantify it, but I’d say in my experience probably half or more rely more on experience than evidence. Within doctors, there is also an age bias, with younger physicians more comfortable with EMR.
Rich,
I’d love a little more quantification around “Many doctors”. I’m pretty familiar with a number of treatment protocols of late, and used to work for a Pharma and understood the drug discovery process, and I’m fairly convinced in those areas that Doctors aren’t acting like cowboys.
I really liked “The Checklist Manifesto: How to Get Things Right” by Atul Gawande and he discusses a lot of the issues in medical practice that get in the way of science, and gives examples of how to get past them.
I’d argue that medicine is still way further ahead on the evidence curve that we are in security.
Good post, and I agree with you. Though I do wonder, if we did have full and complete information sharing, would we really be able to understand the volume of data or would we be overwhelmed by the number of variables? Has anyone built a model for this?
Awesome post Rich!
One little quibble: I’d like to know *if* a 90 day password rotation requirement ever reduces total organizational password risk.