nCircle.com >> 360 Security

« A Reverse Engineers Christmas Special | Main | SCADAGard SIG To Be Established »

Risk Management - A Children's Story

Reading Gregory Bateson this morning, I was reminded of the croquet game from Alice in Wonderland. The mallet is a flamingo, the ball is a hedgehog, the arches are soldiers, and the players' actions are absolutely chaotic. As Bateson’s writing always does, it got the rat in my brain turning the wheel at double-time. In particular, it got me thinking about Enterprise IT Risk Management.

Risk is about impact and likelihood.

Nail down the concepts of impact and likelihood, and you've got the building blocks for a risk management strategy ... at least a tactical one. Problem is, those concepts are not always easy to nail down. Now I understand why. In our space, risks have always been in the context of vulnerabilities - defects and associated threats. Sounds simple enough. This is not unique to Vulnerability Management - *everyone* has fallen into it. As Wiener said more than 1/2 a century ago, (paraphrased) our specialization is making us miss the bigger picture.

The story of Alice's croquet game shows that there is a disconnect between traditional risk methodologies and Network Security. There are human elements (specifically in the interactions between man and machine) that inevitably make the game seemingly unplayable. Most of us in various disciplines of Network Security treat the game as if we're dealing with a mallet, ball, and arch. I assure you, we're not.

What is on your network? What *is* your network?

As Cybernetics have been consuming most of my free cycles, I'm hyper-aware of the limitations of viewing the "network" as a collection of individual objects. Even if each object is analysed exhaustively, there are pieces of critical information that can't be found there. The same is true for the set of all sets of objects ... the information can't be found there either. If these pieces of information are not available to us through our current view, it follows that risk assessment based on this view will have downstream gaps. How can we possibly assess the true impact and likelihood of potential events while ignoring relevant facts? There has to be something better.


It's not the game it used to be ... and it never was.

Back to Alice. The object of croquet is to swing the mallet with sufficient precision to make the ball go through the arches, isn't it?

Given that the properties of the mallet, ball, and arches are relatively fixed, the variance is in the player. Good swing = good shot. Poor swing = poor shot. Not so for Alice. Should the flamingo bend its neck, should the hedgehog crawl forward, should the soldier walk to a different spot on the field, how on earth should we assess whether Alice's swing is a good one? How can she hope to improve her game?

Think *inside* the (expanded) box

So, what does all of this have to do with Risk Management? I’ve read many suggestions of what 2006 will hold for us. My opinion is that the coming year will bring *major* changes to the way that we look at Enterprise IT Risk Management. In particular, 2006 will see us looking at the entire ecosystem to redefine what the “network” is to us. In doing so, we will come to understand that our current silos of understanding do not provide us with ample information. We will begin to consider systems, humans, and the ties that bind them together. These ties lie in action as much as they lie in static attributes. 2006 will be the year of understanding through context and thinking inside a bigger box. We will redefine the game, and make our dent in the universe.

Happy holidays.

Posted by Sheldon Malm on December 21, 2005 1:17 PM |

Search


About

This page contains a single entry from the blog posted on December 21, 2005 1:17 PM.

The previous post in this blog was A Reverse Engineers Christmas Special.

The next post in this blog is SCADAGard SIG To Be Established.

Many more can be found on the main index page or by looking through the archives.

Subscribe to this blog's feed
[What is this?]