Sunday, July 7, 2013

Operational Cyber Security and Single Loop Learning

In this post, I want to summarize the previous posts and also describe the interactions and relationships among the first six performance dimensions.  (See this post for the full list of dimensions.)

The core of cyber security performance is at the operational level, which includes processes and activities that drive day-to-day results.  Existing cyber security frameworks include many of the performance dimensions I am proposing, but in my opinion they have gaps and inadequacies:
  • Resilience is often omitted or treated as a disjoint collection of processes.
  • Design & Development is often omitted or is too narrowly defined to include only software design.
  • Execution & Operations is often under appreciated and is subsumed under other categories.
  • Protection & Controls is often defined too broadly, as if nearly every pro-active cyber security practice could be defined as a new protection process or control.
  • Exposure is often treated too narrowly, focusing on identifying information assets and technical vulnerabilities, and not giving sufficient attention to the total "exposure surface" (analogous to attack surface) which includes all aspects of exposure -- people, processes, technology, and information.  Also, many existing frameworks focus on minimizing exposure and minimizing vulnerabilities, and thus ignore the balancing act of promoting access and use of Systems to achieve organization goals.
  • Threat Intelligence, in some frameworks, is focused too narrowly on methods of attack (a.k.a. the "threats") and not enough on the actors behind those methods (the "threat agents").  Also, they tend to put too much attention on malicious actors and not enough on actors how are prone to accidents and errors, and also actors who are exploitive-but-legal.
  • All together, existing cyber security frameworks tend to be inadequate in how they treat the intersection of information security, privacy, IP protection, industrial control protection, national/homeland security, civil liberties, and digital rights.
The Ten Performance Dimensions that I am proposing aim to remedy these gaps and inadequacies, which I believe is a useful contribution.  But even more important is the dynamic interaction of these dimensions, because it is those interactions that can yield a system that is agile and capable of rapid innovation.

"Agility" is the ability to adjust, adapt, and reconfigure in response to, or in anticipation of a changing environment, with the implication that the adjustments are made with sufficient speed and ease, and with a minimum of overshoot. To be agile, a system has to have the capability to learn, where "learn" means adapting one's model of the world and self in a way that minimizes the gap between actual performance and desired performance.

Researchers who have studied learning in organizations generally describe learning as feedback loops.  One framework that has been proposed is called Double Loop Learning (see this articlethis paper, and this web page, and this one, too), and I think it will be useful in broadly characterizing the interactions between these performance dimensions.  The diagram below shows the overall structure of Double Loop Learning (from Kolb 1984):


The first loop, at the top, is what is often called "Single Loop Learning" or "First Loop Learning".  It's essentially the process of continuous improvement as defined in the process management and quality management fields (e.g. Plan-Do-Check-Act).  This is the learning loop that governs the first six dimensions, as show in the next diagram.  I'll use Plan-Do-Check-Act as a descriptive aid.

Every one of the first six dimension has a "Plan" processes, not just in 3. Design & Development.  In 1. Optimize Exposure, "Plan" means identifying the information systems and assets that are exposed, should be exposed, and should have limited or no exposure, given the overall objectives of the organization and its stakeholders. Likewise, the "Plan" processes of the other dimensions can be defined.   But these "Plan" processes do not and should not operate in isolation.  "Plan" for  1. Optimize Exposure must be informed by "Plan" for 2. Threat Intelligence, and so on through the other dimensions.  It is not necessary to have a monolithic integrated "Plan" process, especially in very large organizations.  But care and attention should be made on the mutual information needs of each.  An Input/Output diagram should be sufficient for this task, and maybe a sequence diagram.

"Do" processes put the plans or designs into action, and thus make them operational.  "Check" is the process of inspecting, measuring, or evaluating the operational results relative to the plan or to goals.  "Act" is the process of making incremental corrections or improvements based on the evaluations from "Check".  Again, all of the dimensions include these processes.  There needs to be strong interactions between them in "Act", because results in one dimension, say 4. Protection & Controls, may be best remedied by corrections in another, say  6. Response, Recovery, & Resilience.

There are two very important differences between Single Loop Learning in cyber security and other settings such as manufacturing.  The first difference is that we are sometimes facing high uncertainty regarding low frequency/high impact events.  This calls for a risk management approach.  The second difference is that many firms face regulations and compliance regimes that dictate or strongly determine the specifics of their cyber security program.

In the context of Single Loop Learning, risk management basically means having an adequate estimate of components and drivers of enterprise risk so that priority decisions and triage decisions can be made.  There is very little benefit in trying to calculate the return on investment for each and every task, control, device, person, or piece of software.  Instead, each needs to be evaluated in its contribution to the whole.  A fine example of this sort of analysis is given by Peter Drucker in his classic book Managing for ResultsEven though he analyzes a product portfolio, the same sort of analysis could be performed on the operational dimensions of a cyber security program.  You would use this analysis method in conjunction a risk decomposition method such as FAIR.

Furthermore, risk analysis and risk management is vital to task of defining and measuring what is "effective" and what is "quality" across each of these dimensions.  Thus, risk management is embedded in the very definition of "performance" at the operational level of cyber security.

Regarding compliance, my advice is simple: if there are any operational aspects of cyber security that are done solely because of compliance, then it is a sign of an underperforming or immature cyber security program.  Conversely, for a cyber security program that is performing well across all six dimensions, there is nothing distinct and useful a compliance regime can add.   Compliance and compliance thinking simply has no place in operational cyber security.  Period.

However, compliance is not irrelevant and it does have a place in the overall framework, but only under dimension 10,  Accountability & Responsibility.

(Next dimension: 7. Effective External Engagement)

No comments:

Post a Comment