Wednesday, June 26, 2013

Good cyber security is not just a pile of "best practices"

Recently, some folks involved in the NIST Cyber Security Framework process have suggested that the challenge is analogous to "safety" and thus a similar compilation of "best practices" is what we need.  The thinking goes like this: If we just compile the "best practices" and then give everyone incentives to implement them, all will be good (or at least much better).  Taking the health/safety analogy further, they say that we need to promote "cyber hygiene".

But cyber security is not like safety.  It would be a grave mistake to treat it like they are the same or even similar.

Tuesday, June 25, 2013

Ten Dimensions of Cyber Security Performance

I am proposing a framework for managing cyber security performance.  As a preview, here are the ten dimensions:
  1. Optimize Exposure: attack surface and vulnerabilities, including assets, people, processes, & technologies
  2. Effective Threat Intelligence: understanding the threat agents 
  3. Effective Design & Development: security & privacy by design 
  4. Quality of Protection & Controls
  5. Effective/Efficient Execution & Operations 
  6. Effective Response, Recovery, & Resilience
  7. Effective External Engagement: responsibilities and risk drivers
  8. Effective Learning & Agility: OODA at an organization level
  9. Optimize Total Cost of Risk: (loss distribution approach)
  10. Responsibility & Accountability: including governance and compliance
Each of the ten dimensions are explored in subsequent posts (see links above).  The interactions among the first six dimensions are discussed in a post called "Operational Cyber Security & Single Loop Learning".  The interactions among the second four dimensions are discussed in "Agile Cyber Security and Double Loop Learning".

Here is are the slides of the diagram, built dimension by dimension.

These posts might be especially interesting to folks who engaged in any of the Cyber Security Framework processes now underway in the US (NIST), EU, or the UK.

(Comment: I acknowledge that this framework is a bit complicated.  My friend Jack Whitsitt   (@sintixerr) has suggested that we need "crayon version" because anything more complicated will just confuse people.  I concur, but I may have to flesh out this complicated version before I can get to something as simple as Plan-Do-Check-Act.)"

"Cyber security" is a superset of "information security", not a synonym

Over at the Security Sceptic blog, Dave Piscitello has a post titled, "Stop Saying Cybersecurity When You Mean Infosec (and vice-versa)" where he makes a good case for not using "cyber security" and "information security" interchangably.
"There is perhaps no term more overhyped, overused, overloaded and misunderstood in infosec and politics today than cybersecurity. Infosec and cybersecurity are often used interchangeably..."
Many InfoSec pros bash the use of the qualifying term "cyber" and consider it a sign of incompetence on the part of the speaker or writer.   They also see it as a sign that the field is being over-run by Beltway policy types, military types, and lawyers who really know nothing about it.

Rather than try to banish it, I agree with Dave that it should be used to mean a superset of information security, and not used as a synonym.  If enough people use it that way, it might catch on.

Dave suggests this distinction:
"Label as infosec activities that seek to fix actual security defects (i.e., cure, manage or improve health). This would include categories like secure code development, best practices and technology to identify or mitigage suboptimal (vulnerable) configuration, SIEM, identity and data/privacy protection. Label as cybersecurity activities that are offensive, reliatory or surveillance (military intelligence)."
This is OK, but I suggest a broader definition:

  • "Cyber security" -- the confluence of information security, industrial control security, privacy, identity, and digital rights, along with civil liberties and national/homeland security in the digital domain.

What do you think?   If someone can come up with a better umbrella term, I'm all for it.

(Edit 6/26/13: added "identity" to the definition.  It's a key integrating thread. Also added "industrial control security".)

Monday, June 24, 2013

I'm presenting at EnergySec Summit Sept. 17-19 in Denver, CO

I just received acceptance notice to present at the EnergySec Summit Sept. 17-19 in Denver, CO.  Here's the title and abstract:

How to Build Your Own Cyber Security Framework using a Balanced Scorecard
Two aspects of cyber security that everyone struggles with are metrics and business impact – How do we measure it to improve? and How do we make it meaningful to business decision makers? This gap appeared again recently in the NIST Cyber Security Framework (CSF) process RFI responses.  But there is no need to wait for NIST CSF or anything else because there is a viable method available now that you can use to build your own CSF – namely the “Balanced Scorecard” method.   
The key idea is to focus on performance against measurable objectives in all critical dimensions that, taken together, will lead to better security, privacy, and resiliency outcomes, even in a dynamic and highly uncertain threat environment. 
In this presentation, I’ll explain the ten critical dimensions of cyber security performance, explain how they are interrelated and feed off each other, show how to create a performance index in each dimension, and describe how the balanced scorecard can be used to drive executive decisions.  This presentation should be valuable to managers and executives in every type of organization in the energy sector, including the supply/service chain.  Consultants, regulators, and academics should also find it interesting and useful.
I'll be blogging about this topic in the coming days and weeks.

Dream work spaces

I imagine that many golfers believe they would play their best golf at Augusta National (home of the Masters).  Maybe many musicians believe they would perform their best at Carnegie Hall.  For me, I'm inspired in my work by grand reading rooms in libraries.  I'm lucky to be able to use the Stanford Green Library's Lane Reading Room. It has a nice hallway with vaulted ceilings, which is a good place for monk-like pacing.

A place for pacing
(click for larger image in new window)

As nice as this is, my Dream Work Space might be the Library of Congress Reading Room.  I visited there last week to get two hard-to-find books.  I only spent a few minutes in the Reading Room itself before going into the copy room.  But I took a moment to imaging what it would be like as a daily work space.  Yowwza!

Library of Congress Reading Room.
View from above (click for larger image in new window)

View from the floor.  I'm sure I could think great thoughts here!
(Click to view larger image in new window)




Lecture: Exploring Possibility Space of Ideological Change

Here's a nice academic lecture at University of Waterloo Institute for Complexity and Innovation (WICI) by Matto Mildenburger, PhD Candidate at the School of Forestry and Environmental Studies, Yale University.


Exploring the Possibility Space of Ideological Change from Waterloo Institute for Complexit on Vimeo.

His use of the term "possibility space" is similar to my view, meaning a space of possible states of a system along with dimensions or topological relations that give shape to the space.  At 27:04 he discusses the nature of dimensions and their validity in studying the space of ideologies.  At 1:02:19 he answers a question about process of change in ideologies and how change is interpreted spatially.

I'm attending the the Trento Summer School in July

I'm looking forward to attending the 14th Trento Summer School in Trento, Italy, from July 1 to July 12.  The theme this year is "Modularity and Design for Innovation".  The summer school is hosted by the Cognitive and Experimental Economics Laboratory (CEEL) at University of Trento, as part of their Adaptive Economic Dynamics program.

Trento, Italy


View Trento in a larger map

Looks like I'm the only American student and also probably the oldest!  Should be fun.

One of the main lecturers is Carliss Y. Baldwin of the Harvard Business School.  I first met Carliss in 2000 at the Wharton Workshop on Complexity and Management,  where we were both presenters.  She presented a preview of her soon-to-be-published book Design Rules.  She probably doesn't remember me or my presentation, but I remember her.

Sunday, June 23, 2013

Two new journals: Sociological Science and Journal of Strategy Science

Two new journals caught my eye.

First is Sociological Science, which will be accepting submissions starting this Fall.  Unlike established journals, they have a light-weight editorial model focused on fast decisions and simple accept/reject decisions.  Like PlosOne, they seem to be very open in terms of interdisciplinary work and methods.

Second is Journal of Strategy Science, published by INFORMS.  They aim to publish their first issue in 2015.  This is a traditional journal with all usual the pluses and minuses.  What caught my eye was that the Editor in Chief is Daniel Levinthal of Wharton Business School.  He's has been a pioneer in using methods from Complexity Science to study organizations and innovation, and, in general, he's been very supportive of computational methods.

Q: What marks the "Heartland"? A: Attitudes toward pantyhose substitutes

NC State has a very interesting interactive site called Dialect Survey Maps, based on data from the 122-question survey conducted by Bert Vaux, Department of Linguistics, University of Cambridge. The web interface was coded with Shiny and deployed using the hosting service provided by RStudio.

Maps for most questions show regional differences in terminology and idioms -- e.g. in most of the US, "tennis shoes" is generic name for soft/athletic shoes, except in New England where the term "sneakers" is preferred.

But the map that caught my eye was for this statement:
  • 56. "Pantyhose are so expensive anymore that I just try to get a good suntan and forget about it."
Here's the map.  What I like is that agreeing with this statement is marks "The Heartland"  (excluding the Old South), a.k.a. "North-Middle America".  (Color code:  Blue is "acceptable" and red is "unacceptable".  Click to see larger version in a new window.)

It's interesting to see how this separates Iowa from Minnesota, Wisconsin from Illinois, North Dakota from South Dakota, and New York from Pennsylvania.

Saturday, June 22, 2013

Using LaTex equations in Blogger

Here are simple instructions for using MathJax within Blogger.  For example, this LaTex code:
 x\leq y+ \sum_{k=1}^n y_k 
surrounded by "$". This renders as:
$x\leq y+ \sum_{k=1}^n y_k$

Let the explorations begin

I think it's time to create a personal blog.  For a few years, I've been blogging at New School of Information Security about information security, especially risk estimation, metrics, and risk management.  I've used Twitter (@MrMeritology) for these and other topics, including various topics related to my PhD program and dissertation.  I'll still blog at NewSchool from time to time, and I will continue to use Twitter for community interaction and resource sharing.

The blog format allows for longer essays and maybe novel content (e.g. interactive animations).  I imagine this blog will be more open in terms of topics and ideas that interest me as I come across them.  I'll also be blogging my progress through my dissertation and my experiences with various tools and methods as I learn them.

The content will be mostly professional, intellectual, and technical, with some occasional philosophy and personal essays.

I won't be blogging personal or family stuff.