In Infosec, there are risks (what could happen) and incidents (what has happened).
We deal with risks proactively by asking questions. Identify, describe, quantify and so on. We treat the risks, hopefully avoid them.
Incidents call for a reactive posture. How can we recover?
A mature organization prefers to be proactive as opposed to reactive. One way is to interconnect the two approaches. Analyze your incident history so that recurring issues can be addressed. Don't forget that rear mirror.
Read more about distinguishing between risk and issue at The Innovation of Risk.
2011-07-09
2011-06-29
future in the rear mirror
Security risk is uncertainty about undesirable future events, a lack of control. To reduce uncertainty, we'd need a way to look into the future. And we can.
Having identified threat sources and vulnerabilities relevant to our assets, we construct risk by formulating realistic events. Neither objective nor scientific, it does provide a crystal ball of sorts.
Also, what has already happened? History is an indicator of what might happen. Spotting the future in the rear mirror could be our best option.
Having identified threat sources and vulnerabilities relevant to our assets, we construct risk by formulating realistic events. Neither objective nor scientific, it does provide a crystal ball of sorts.
Also, what has already happened? History is an indicator of what might happen. Spotting the future in the rear mirror could be our best option.
2011-06-19
the risk you wouldn't want
There are different kinds of risk. Some are desirable. Doing business means taking risk to make money. The risk appetite will vary between companies and over time.
Other risks represent things going wrong in a company's everyday activities. We call them operational. You won't have an appetite for them. Instead, we talk of risk tolerance. When do you decide to close a factory, do things differently to avoid the potential cost? Operational risks are risks you don't want. Infosec risks among them.
Other risks represent things going wrong in a company's everyday activities. We call them operational. You won't have an appetite for them. Instead, we talk of risk tolerance. When do you decide to close a factory, do things differently to avoid the potential cost? Operational risks are risks you don't want. Infosec risks among them.
2011-05-18
meet your infosec risk
Consider your asset, something information-related worthwhile protecting. Mind your threat sources. Who or what could attack the asset, intentionally or not? Think vulnerabilities. Is there a weakness which could be used? Now: is there a combination where a relevant threat source can exploit a known vulnerability to compromise your asset? Just how bad is this potential harmful event? Quantify with respect to likelihood and impact. And there you have it. Meet your information security risk.
2011-01-22
no such thing
If I could only... would that make me safe? Is there a recipe for removing or mitigating all risk? Not in life. Not in software. In practice, everyday software is infinitely complex. Foreseeing and countering everything that could go wrong - however desirable - is not realistic. That's why I prefer not to talk about "secure" software. A desirable goal indeed but not within our reach. That'd be promising something we can't deliver. Software security is not absolute. It's about gray-scales and risk.
2010-12-18
delicious remorse
Those who have known me for a while will probably be giggling by now. For the rest of you, I can let you in on a secret. You know old King Midas? Everything he touched turned into gold. Well, in the world of services I frequently assume the role of some inverted Midas. I've managed to join (or buy) lots of products and services over the years, only to discover that they soon get discontinued. Apparently, this time it took me five weeks to get Delicious swaying. When news broke about Yahoo allegedly sunsetting this bookmarking service I was disappointed but not exactly surprised...
2010-11-13
deliciously yours
Being a student of Risk Management and Security Informatics implies quite a bit of reading. Ergo bookmarking. Once in a while I do come across a text which may or may not be of interest to others. Ergo Social Bookmarking. I try hard not to involve myself in more services and networks than necessary but have decided to make a tactical retreat now and join Delicious after all.
For now, my bookmarks collection can be found here.
For now, my bookmarks collection can be found here.
2010-09-02
a silent movie
2010-08-28
tunnel vision
Someone suggested that Risk Management takes place at the intersection of three disciplines: psychology, economy and technology. This is an important observation.
Consider.
The recent, long-awaited breakthrough in the Hallandsås Ridge Tunnel highlights the tremendous challenges facing this infrastructure project which was originally launched way back in the 1990's.
Let's recall the issues.
1. Was it a good idea to have this new railroad through the notorious ridge?
2. Was it doable?
3. Was it economically viable?
At the outset, we knew the geology was tough. It turned out worse than expected. We knew we needed extraordinary technology. That still wasn't enough. Time schedules slipped, budgets evaporated and as the nervousness began to set in, the previous project management started cutting corners, introducing substances which would create an environmental scandal. The Rhoca-Gil pollution issue turned out to be grossly exaggerated but in the hearts and minds of the locals and the general public is was a complete PR catastrophe. Viewed through the respective lenses of technology, economy and psychology the halted project was a hopeless failure.
So, where does one go from there? First the technology. Means and methods for tunneling through hopeless "non-rock" had to be reinvented. Then the economy. A credible plan had to be laid out, setting the record straight on what the job would cost and when it would get done. Still, succeeding on those two difficult fronts wouldn't be worth a penny unless trust could be regained. Trust from the locals that the construction work would be pursued safely. Trust from the taxpayers that huge piles of additional money would in fact be well spent. Trust from decision-makers who once again had to go on record, actively supporting this ill-fated tunneling effort. And there you have it. Technology risk, environmental risk, financial risk and political risk - all intertwined.
I wouldn't open the real expensive champagne quite yet but the events of last week, the spectacular breakthrough, was an important psychological milestone.
Let's revisit the main issues.
1. Today hardly anyone would argue against the importance of investing in our railroads. The climate threat changes everything. So yes, it is a good idea to have this new railroad.
2. Having the first tunnel completed is a fact which speaks loudly for itself. Yes - although the geology of Hallandsås Ridge may still hold some surprises for us, this is in fact doable. Our means and methods are working - and in a safe way too. Through openness and engaging in public debate, the new project management has regained the confidence of those living and breathing around the ridge.
3. Which leaves us with the issues of time and money. Skanska-Vinci are now delivering on the new plan. They're on schedule for allowing trains into the tunnel in 2015. The economists will continue arguing on whether the huge cost-overruns have been justifiable. As always, the money you already spent will be lost if you give up and seal the tunnel. What matters is the marginal cost of the work remaining.
Now, this time let's stay on track.
Consider.
The recent, long-awaited breakthrough in the Hallandsås Ridge Tunnel highlights the tremendous challenges facing this infrastructure project which was originally launched way back in the 1990's.
Let's recall the issues.
1. Was it a good idea to have this new railroad through the notorious ridge?
2. Was it doable?
3. Was it economically viable?
At the outset, we knew the geology was tough. It turned out worse than expected. We knew we needed extraordinary technology. That still wasn't enough. Time schedules slipped, budgets evaporated and as the nervousness began to set in, the previous project management started cutting corners, introducing substances which would create an environmental scandal. The Rhoca-Gil pollution issue turned out to be grossly exaggerated but in the hearts and minds of the locals and the general public is was a complete PR catastrophe. Viewed through the respective lenses of technology, economy and psychology the halted project was a hopeless failure.
So, where does one go from there? First the technology. Means and methods for tunneling through hopeless "non-rock" had to be reinvented. Then the economy. A credible plan had to be laid out, setting the record straight on what the job would cost and when it would get done. Still, succeeding on those two difficult fronts wouldn't be worth a penny unless trust could be regained. Trust from the locals that the construction work would be pursued safely. Trust from the taxpayers that huge piles of additional money would in fact be well spent. Trust from decision-makers who once again had to go on record, actively supporting this ill-fated tunneling effort. And there you have it. Technology risk, environmental risk, financial risk and political risk - all intertwined.
I wouldn't open the real expensive champagne quite yet but the events of last week, the spectacular breakthrough, was an important psychological milestone.
Let's revisit the main issues.
1. Today hardly anyone would argue against the importance of investing in our railroads. The climate threat changes everything. So yes, it is a good idea to have this new railroad.
2. Having the first tunnel completed is a fact which speaks loudly for itself. Yes - although the geology of Hallandsås Ridge may still hold some surprises for us, this is in fact doable. Our means and methods are working - and in a safe way too. Through openness and engaging in public debate, the new project management has regained the confidence of those living and breathing around the ridge.
3. Which leaves us with the issues of time and money. Skanska-Vinci are now delivering on the new plan. They're on schedule for allowing trains into the tunnel in 2015. The economists will continue arguing on whether the huge cost-overruns have been justifiable. As always, the money you already spent will be lost if you give up and seal the tunnel. What matters is the marginal cost of the work remaining.
Now, this time let's stay on track.
2010-08-03
compact living - revisited
OK, so it's official.
There's absolutely nothing wrong with my SLR camera but photography has become immensely boring. It's too heavy to carry around unless I have some specific shooting in mind. Consequently, the camera stays home six days a week and snapping photos has turned into a Planned Activity on Rare Occasions.
Clinging to a Point&Shoot is not supposed to be healthy for anyone aiming to take photography seriously. Still, I did cling for years and I miss those days. I suppose my photos are in some respect technically "better" these days but they're also rather uninspired. Creative moments are few and far between and I blame my heavy-weight SLR companion. In my world, a camera should be something handy to stick in your bag (or - even better - your pocket!) and forget about until the moment you encounter Something Worthy of Being Snapped.
So, let it be known. I miss my P&S.
There's absolutely nothing wrong with my SLR camera but photography has become immensely boring. It's too heavy to carry around unless I have some specific shooting in mind. Consequently, the camera stays home six days a week and snapping photos has turned into a Planned Activity on Rare Occasions.
Clinging to a Point&Shoot is not supposed to be healthy for anyone aiming to take photography seriously. Still, I did cling for years and I miss those days. I suppose my photos are in some respect technically "better" these days but they're also rather uninspired. Creative moments are few and far between and I blame my heavy-weight SLR companion. In my world, a camera should be something handy to stick in your bag (or - even better - your pocket!) and forget about until the moment you encounter Something Worthy of Being Snapped.
So, let it be known. I miss my P&S.
Subscribe to:
Posts (Atom)