Layer 8

Security is fundamentally about people, and everything we know about people is relevant to security. -- B. Schneier

Security satori.

I have found the Metrics Prophet for our times, and his name is Andrew Jaquith.

I stumbled home yesterday from work, sleep-deprived, jittery, and feverish from an oncoming cold.  I tucked myself into bed, hoping to sleep—but I could not sleep until I had read Security Metrics cover to cover.  It was That Good.

Now, either that makes me the biggest saddo anorak west of the Pond, or it means Jaquith is an extraordinary writer about what would otherwise be an extremely dull subject.  I would of course prefer to think it’s the latter, and I’m sure he would too.

First off, his writing is chock full of playfulness and amusing literacy, from the literary nods (“Call me Analyst.”) to the rimshots (”... the top and bottom 50% are divided by—wait for it—the median!”).
Secondly, his metrics are for the most part accessible, meaning that as soon as I see them, I think, “Yeah, I could get those!”  And a whole lot of them are ones I’d already thought of, but there are a few gems in there that were like little Altoids in my mouth, that made me sit up and go, “Whoa.”

For example:
- Tracking the number of change control exemptions, including by business unit—to identify the “cowboys” in the organization.
- Correlation of password strength with training latency
- Cycle time to deprovision users, by system type
- “Toxicity rate” (I love this concept) of customer data and ratio to all other data

His section on analysis techniques is also well-written, but I think he misses another reason to avoid some instances of taking the average or median of data instead of focusing on the outliers.  The reason to avoid averages is this:  humans don’t think that way.  And by “think,” I mean using that funny combination of flawed psychology and intuition to make risk decisions.  When an executive is making a decision on security, she doesn’t give an auditor’s ass what the average number of incidents is across the country, or the industry.  She only cares about numbers that can indicate what she might expect for her organization.  Give someone an average and he will immediately try to apply it to his own situation, either by going into denial (“I’m sure we’re below the average”) or overestimating the risk (“That means it’s sure to happen to us.”). 

So I think it’s important to know when to avoid averages and medians in analysis when there is a good reason to believe that your decision-maker will try to apply those numbers to calculate probability for risk assessment.  And if your purpose in showing a median is to lead in to discussing the outliers, for heaven’s sake, just go straight to the outliers; don’t make him do the math in his head while he’s looking at a number on a page. 

In his chapter on visualization techniques, Jaquith really does me a huge favor by giving loads of hints on how to bend Excel to my will.  When I’m doing my annual security risk management report, by far the largest time-sink is just plain trying to get the numbers and charts to say the right things.  His “rules” on making things easier on the eyes are great—although I would tweak him about not following his own rule about previewing the charts in black and white first; his Figure 6-14 is well-nigh unreadable on the printed page.

One thing I do know for sure after having read this chapter:
 
I’ll never get a Treemap Chart; I never hope to see one. 
And I can tell you this right now:  I’d rather die than make one.

Another side note:  I’m sorry, but Figure 7-2, the “Logical Model of IT Security Controls (Level 2),” makes me think immediately of the Hamster Maze of Pain.
However, Figure 7-4, “Metrics Sources in the Data Center,” should be printed out as a wallet card and laminated.  Boy howdy, is that one useful.

The final chapter on designing security scorecards is good, but I will probably never make it as far as a Balanced Security Scorecard.  I will probably spend the next several years just trying to automate the collection of my key metrics. 

And that final chapter just stopped short and dumped me off the end of the book, without so much as a fare-thee-well Final Overall Summary.  It just stopped, and without another word, put on its clothes and went home, and I was left staring at the Index.  But I’ll get over the disappointment.

One other thing, though:  I was terribly gratified and relieved to read that I’m not the only one who doesn’t think “asset value” can be practically calculated.  All the risk-assessments-in-a-box I have seen have started off with an inventory and asset value, and hell, how am I supposed to compute the asset value of a firewall?  In terms of its hardware cost?  In terms of business loss if it’s a single point of failure?  In terms of the criticality of data it passes or blocks?

In short, I still have some burning questions, but they’re the good kind:  they’re the kind you’re left with after a stimulating barstool conversation with a very smart partner.  My overall enlightenment level has been raised, and that is a very fine thing indeed. 

 

Posted by shrdlu on Saturday, April 14, 2007
(4) CommentsPermalink blogmarks Favicon del.icio.us Favicon Digg Favicon Fark Favicon Furl Favicon Google Bookmarks Favicon StumbleUpon Favicon Technorati Favicon TailRank Favicon

Next entry: Exponential ... something.

Previous entry: The Problem with Pundits, part III.

Comments

Sandro Gauci Malta on 04/15  at  06:13 AM:

why do you make me spend more on books ? :( ah the one click shopping feature on amazon is really evil. None the less .. thanks for the review wink

.(JavaScript must be enabled to view this email address) United States on 04/16  at  12:24 PM:

Generally speaking, your firewall’s value is a function of the assets that it protects, not an asset in and of itself - that is, as a control mechanism. You can compute its value if you like but it misses the point of asset valuation, which revolves around your information and systems, not your controls.

I agree that Andy is a great writer and a great speaker. He does miss the point on this one, and you do, too. Consensus doesn’t matter - the only thing that matters when determining asset value is the perception and opinions of those decisionmakers at your organization - you, your boss, the management team, etc. This is true of all financial management (as contrasted with Accounting where generally accepted practices are crucial). There is no universal truth and there doesn’t need to be.

Like it or not, you are “computing” asset value every time you make an “is it worth it?” decision. If that level of precision is all you need, then you don’t need to go further, but don’t make the mistake of thinking you aren’t doing it. And remember that the “flawed psychology” state you reference above is even larger in cases where there is no clarity. (Wikipedia has a nice list of known, scientifically classified human biases if you are interested).

Nice blog. Loved the pen-tester post.

Pete

LonerVamp United States on 04/16  at  03:55 PM:

Whoa, someone made metrics a readable subject? Sounds intriguing! And knowing your writing style and little fun moments (a few of which are scattered in this post alone!), you liking his style probably means I’ll also enjoy it should I pick this book up.

I like the idea of that ‘cowboys’ metric. I think many people who have, or I guess even don’t have, real change management policies know which business units or even people tend to be the ones bucking any sort of standardization in process or changes. We know them, but rarely quantify that knowledge into something more meaningful for decision-makers. “You’ve accounted for 70% of our change control exemptions. Is this because it is your style, you don’t know our policies very well, something in your own unit that is not working properly that we can help out with to get you more compliant…?”

shrdlu United States on 04/16  at  04:48 PM:

Pete, thanks for the comments and the compliments.  I agree with you that one is computing asset value every time one makes an “is it worth it?” decision, but if that were all I had to do, it would be fine.  It gets tricky when I have to quantify my answer in integers with a dollar sign on the front.  And I would argue that you do need to get some sort of consensus if you’re presenting that number, say, to an insurer. 

More to the point, if I have to help my management make that decision, I should be able to guide them in the implications of whatever measuring stick they choose (or leave out).  I don’t know whether to tell them to compute the downtime cost of a system, or the reputational cost (plus notification costs) of its compromise.  Or both.  I don’t know how to compute the asset value of a workstation—does it depend on whether it’s being used by a sysadmin or the CEO?  Does it have little to no intrinsic asset value because, functionally speaking, it’s just a “window” on the real systems and data?  How about if the CEO just happens to be storing his personal data on that hard disk because he doesn’t realize that “My Documents” == C: drive?

It would be interesting to consider whether one could build a completely data-centric model for asset valuation.  Maybe someone has done it already.  But then again, that’s assuming you KNOW where all your data is stored ...

Page 1 of 1 pages

Add a comment

Name:

Email:

Location:

URL:

Smileys

Remember my personal information

Notify me of follow-up comments?

Submit the word you see below: