Download - Deconstructing risk management
![Page 1: Deconstructing risk management](https://reader033.vdocuments.site/reader033/viewer/2022052906/55892d02d8b42a22388b459c/html5/thumbnails/1.jpg)
Tastes Great vs Less Filling: Deconstructing Risk
Management (A Practical Approach Towards Decision Making)
Michael DahnChaordicMind.com
Thursday, April 29, 2010
![Page 2: Deconstructing risk management](https://reader033.vdocuments.site/reader033/viewer/2022052906/55892d02d8b42a22388b459c/html5/thumbnails/2.jpg)
Who am I?
Thursday, April 29, 2010
![Page 3: Deconstructing risk management](https://reader033.vdocuments.site/reader033/viewer/2022052906/55892d02d8b42a22388b459c/html5/thumbnails/3.jpg)
Which side are you on?• « Risk Management is Dead …
Long Live Risk Management »
Tastes Great!
Less Filling!
Thursday, April 29, 2010
![Page 4: Deconstructing risk management](https://reader033.vdocuments.site/reader033/viewer/2022052906/55892d02d8b42a22388b459c/html5/thumbnails/4.jpg)
Pete Lindstrom
« We have already solved the problem of Risk Management over 200 times, the problem is that we don’t know which one is right. »
Thursday, April 29, 2010
![Page 5: Deconstructing risk management](https://reader033.vdocuments.site/reader033/viewer/2022052906/55892d02d8b42a22388b459c/html5/thumbnails/5.jpg)
Question Group 1Question Answe
rWhat year was George Washington born?
?
How many countries are in South America?
?
How many calories in a In-n-Out Double-Double burger?
?
What year was Diet Coke invented?
?
How many elements are in the periodic table?
?
Thursday, April 29, 2010
![Page 6: Deconstructing risk management](https://reader033.vdocuments.site/reader033/viewer/2022052906/55892d02d8b42a22388b459c/html5/thumbnails/6.jpg)
Variance?
• Upper bound• Lower bound• Range (Upper – Lower)• Standard deviation
Thursday, April 29, 2010
![Page 7: Deconstructing risk management](https://reader033.vdocuments.site/reader033/viewer/2022052906/55892d02d8b42a22388b459c/html5/thumbnails/7.jpg)
Question Group 1Question Answe
rWhat year was George Washington born?
1732
How many countries are in South America?
13
How many calories in a In-n-Out Double-Double burger?
670
What year was Diet Coke invented?
1982
How many elements are in the periodic table?
102
Thursday, April 29, 2010
![Page 8: Deconstructing risk management](https://reader033.vdocuments.site/reader033/viewer/2022052906/55892d02d8b42a22388b459c/html5/thumbnails/8.jpg)
Question Group 2Question Answe
rHow many languages are available on Flickr.com?
?
How many breach incidents were reported by DatalossDB in 01/10?
?
When did Arnold Palmer first win the PGA Masters Tournament?
?
How many minutes do Facebook users spend on the site / month?
?
How many contributors to the Encyclopedia Britannica in 2008?
?
Thursday, April 29, 2010
![Page 9: Deconstructing risk management](https://reader033.vdocuments.site/reader033/viewer/2022052906/55892d02d8b42a22388b459c/html5/thumbnails/9.jpg)
Variance?
• Upper bound• Lower bound• Range (Upper – Lower)• Standard deviation
Thursday, April 29, 2010
![Page 10: Deconstructing risk management](https://reader033.vdocuments.site/reader033/viewer/2022052906/55892d02d8b42a22388b459c/html5/thumbnails/10.jpg)
Question Group 2Question Answe
rHow many languages are available on Flickr.com?
8
How many breach incidents were reported by DatalossDB in 01/10?
35
When did Arnold Palmer first win the PGA Masters Tournament?
1958
How many minutes do Facebook users spend on the site / month?
500b
How many contributors to the Encyclopedia Britannica in 2008?
4,411
Thursday, April 29, 2010
![Page 11: Deconstructing risk management](https://reader033.vdocuments.site/reader033/viewer/2022052906/55892d02d8b42a22388b459c/html5/thumbnails/11.jpg)
Question Group 3Question Answe
rWhat percentage of all malicious code will be executed in 2012?
?
How many bugs are there in Windows Vista?
?
What is the chance a Wikipedia article will contain an error?
?
How long will it take for an average computer to be p0wned in 2015?
?
What is the air speed velocity…
?Thursday, April 29, 2010
![Page 12: Deconstructing risk management](https://reader033.vdocuments.site/reader033/viewer/2022052906/55892d02d8b42a22388b459c/html5/thumbnails/12.jpg)
Unknown-Unknowns
• Known Knowns (KK)– People in this room now
• Unknown Knowns (UK)– Population of the earth
• Known Unknowns (KU)– The day I will die
• Unknown Unknowns (UU)– Which risk management is
right for you…Thursday, April 29, 2010
![Page 13: Deconstructing risk management](https://reader033.vdocuments.site/reader033/viewer/2022052906/55892d02d8b42a22388b459c/html5/thumbnails/13.jpg)
To Know“kennen” vs “wissen” « kennen » :: to know a fact– KK, UK, KU, UU
« wissen » :: to know a concept– KK, UK, KU, UU
Thursday, April 29, 2010
![Page 14: Deconstructing risk management](https://reader033.vdocuments.site/reader033/viewer/2022052906/55892d02d8b42a22388b459c/html5/thumbnails/14.jpg)
Concepts vs Domains « Concepts »
– an abstract or generic idea generalized from particular instances
« Domain »– a sphere of knowledge,
influence, or activity
Domains contain Concepts
Thursday, April 29, 2010
![Page 15: Deconstructing risk management](https://reader033.vdocuments.site/reader033/viewer/2022052906/55892d02d8b42a22388b459c/html5/thumbnails/15.jpg)
Adam Shostack
« What the industry needs it more data in order to form proper conclusions »
Thursday, April 29, 2010
![Page 16: Deconstructing risk management](https://reader033.vdocuments.site/reader033/viewer/2022052906/55892d02d8b42a22388b459c/html5/thumbnails/16.jpg)
I got your “more data”!
Thursday, April 29, 2010
![Page 17: Deconstructing risk management](https://reader033.vdocuments.site/reader033/viewer/2022052906/55892d02d8b42a22388b459c/html5/thumbnails/17.jpg)
Donn Parker
Due to the unknown-unknown number of data breaches, any data set we collect may be too small to statistically analyze data.
« Risk-based security is impossible »« Dilligance-based security is what we need »
Frequent-ism
Thursday, April 29, 2010
![Page 18: Deconstructing risk management](https://reader033.vdocuments.site/reader033/viewer/2022052906/55892d02d8b42a22388b459c/html5/thumbnails/18.jpg)
Parker-nomics• Risk based approaches are
nothing more than data alchemy
• There is simply not enough public data available to make any sort of statistically significant conclusion when you assume that the entire population of data breaches or security failures (realistically unknown) is vastly larger
Thursday, April 29, 2010
![Page 19: Deconstructing risk management](https://reader033.vdocuments.site/reader033/viewer/2022052906/55892d02d8b42a22388b459c/html5/thumbnails/19.jpg)
Rogue Device Detection(Sampling?)
Example
Thursday, April 29, 2010
![Page 20: Deconstructing risk management](https://reader033.vdocuments.site/reader033/viewer/2022052906/55892d02d8b42a22388b459c/html5/thumbnails/20.jpg)
Diligence-based Model• Diligence to avoid negligence• Compliance to meet or exceed
requirements of regulations, laws, and standards to avoid penalties
• Enablement to meet business and budget needs
« generally agreed upon best practices »
https://www.issa.org/Library/Journals/2008/January/Parker-A%20Diligence-Based%20Idealized%20Security%20Review.pdf
Thursday, April 29, 2010
![Page 21: Deconstructing risk management](https://reader033.vdocuments.site/reader033/viewer/2022052906/55892d02d8b42a22388b459c/html5/thumbnails/21.jpg)
Alex Hutton
Probability is a probable term…« Governance without metrics and
models, is superstitian »« Governance with metrics and models ,
describes capability to manage risk »
Bayesian-ism
Thursday, April 29, 2010
![Page 22: Deconstructing risk management](https://reader033.vdocuments.site/reader033/viewer/2022052906/55892d02d8b42a22388b459c/html5/thumbnails/22.jpg)
Hutton-nomics• Risk management: Time to
blow it up and start over?• Evidence-based risk
management– Deconstructed, notional view
of risk• Metrics based management,
governance, and risk– Failure if lack of data
Thursday, April 29, 2010
![Page 23: Deconstructing risk management](https://reader033.vdocuments.site/reader033/viewer/2022052906/55892d02d8b42a22388b459c/html5/thumbnails/23.jpg)
Managing Risk
« Managing risk means aligning the capabilities of the organization, and the exposure of the organization with the tolerance of the data owners »
- Jack Jones
Thursday, April 29, 2010
![Page 24: Deconstructing risk management](https://reader033.vdocuments.site/reader033/viewer/2022052906/55892d02d8b42a22388b459c/html5/thumbnails/24.jpg)
Managing Risk
« Risk management may be hard (or even impossible)…… but we all manage risk »
- Me
Thursday, April 29, 2010
![Page 25: Deconstructing risk management](https://reader033.vdocuments.site/reader033/viewer/2022052906/55892d02d8b42a22388b459c/html5/thumbnails/25.jpg)
Spheres of Expertise
You don’t know everything« We > You »
Practitioners don’t know everything « Experts > Practitioners »
Next up… « Reputational weighted value »
Success = more detailed info, per domain
Thursday, April 29, 2010
![Page 26: Deconstructing risk management](https://reader033.vdocuments.site/reader033/viewer/2022052906/55892d02d8b42a22388b459c/html5/thumbnails/26.jpg)
Thursday, April 29, 2010
![Page 27: Deconstructing risk management](https://reader033.vdocuments.site/reader033/viewer/2022052906/55892d02d8b42a22388b459c/html5/thumbnails/27.jpg)
Thursday, April 29, 2010
![Page 28: Deconstructing risk management](https://reader033.vdocuments.site/reader033/viewer/2022052906/55892d02d8b42a22388b459c/html5/thumbnails/28.jpg)
Domains of Knowledge Expertise
Thursday, April 29, 2010
![Page 29: Deconstructing risk management](https://reader033.vdocuments.site/reader033/viewer/2022052906/55892d02d8b42a22388b459c/html5/thumbnails/29.jpg)
Sounds simple? Nope« Education, education,
education »
« Flexibility of Domains »
« More data (per domain) for risk modeling »
Thursday, April 29, 2010
![Page 30: Deconstructing risk management](https://reader033.vdocuments.site/reader033/viewer/2022052906/55892d02d8b42a22388b459c/html5/thumbnails/30.jpg)
Conclusion
« Seek first to understand and then to be understood »
« Holistic information security »« Intra-connectedness of domains drive
value of (risk) data »
Thursday, April 29, 2010