Tuesday, January 28, 2014

Estimating your organization's risk appetite, starting from scratch

On Twitter recently, Phillip Beyer (@pjbeyer) asked: "how do you measure risk appetite in program early stages?".  I gave my answers in a series of tweets, but this question comes up a lot so I think it's worthy of a blog post.

[Edit: Feel free to substitute the term "risk tolerance" for "risk appetite".  They have slightly different origins, but their interpretation in this context is the same.]

First, some people have an aversion to the concept of "risk appetite" and others deny that it even applies to information security (or more broadly to cyber security).  The argument goes that no rational manager or organization desires to take on information security risk if they could avoid it, and therefore there is no such thing as an appetite for risk.  A different argument against it is based on belief that risk in information security is not quantifiable, and therefore attempts to quantify risk appetite are similarly impossible or meaningless.

I believe these two positions are mistaken.  The first objection is a misunderstanding of what "risk appetite" really means and how it applies to information security.  I'll explain and clarify, hopefully,  Also in this post, I'll also address the second objection to show how risk appetite can be reliably quantified.

"How Complex Systems Fail" Richard Cook, 30min video

This is a wonderful 30 minute lecture that should be interesting to anyone in information security, risk management, operations, and especially CIOs and CISOs.  He gives very good explanations about why agility and learning are so important to resilience.


Nominated for "Best New Security Blog" at #RSAC

Every year at the RSA Conference, there is a meetup for information security bloggers.  As part of the gathering, awards are given to bloggers in various categories -- best corporate blog, best blog post, and so on --  based on votes from their peers.  One category is best new security blog, and I'm happy to report that this blog has been nominated in that category.

If you are a blogger, feel free to vote for "Exploring Possibility Space" using the link on this page.

Realistically, my chances of winning aren't great because I don't focus exclusively on information security, as the others do.  But even so, it's an honor to be nominated (as all nominees say!).

Sunday, January 19, 2014

PNAS letter & reply: You say potāto, I say potəto…

If we have mis-communicated, should we call the whole thing off?
Not just yet.  I say: once more, with FEELING!
Big news: my letter to Proceedings of the National Academies of Science (PNAS) has been published, along with the author's reply.  (pay wall)

This post includes an early draft of my letter plus some commentary.

My published letter: "Does diffusion of horse-related military technologies explain spatiotemporal patterns of social complexity 1500 BCE–AD 1500?"

The authors' reply is here.

The authors are Peter Turchin, Thomas Currie, Edward A. L. Turner, and Sergey Gavrilets.  In case you don't know him, Dr. Peter Turchin is one of the founders of this field called Cliodynamics, or the mathematical modeling of large scale, long time horizon historical dynamics.

The not-so-good-news is that the authors misunderstood my objections so their answers didn't address them.  Thus, we didn't really communicate successfully in the format of PNAS letters. Both my letter and the author's response were restricted to 500 words, and this significantly contributed to the miscommunication.

Message to PNAS editors: Your 500-word restriction on letters is anachronistic, unnecessary, and is an obstacle to productive scholarly debate. Since letters are only published online, there is no justification for the 500-word limit, which is presumably justified to save precious paper in the print version of PNAS journal. With online publication, letters should be edited to express their essential meaning without any fixed word count limit.

For copyright reasons, I can't copy verbatim either my letter or the author's response. Instead, I'll splice them together, along with my commentary on the miscommunication and more details about my objections.   My sincere desire is that the authors will respond here in the comments or elsewhere to address these (clarified) objections.

My objections focus on the authors' design and simulation choices, and not their underlying theories of social complexity.

Monday, January 13, 2014

Guest on "Data-driven Security Podcast" Ep. 1

I was a guest on the new Data-driven Security Podcast, episode 1.  There's the usual audio and also a video (1 hour 15 minutes).  Along with hosts Bob Rudis and Jay Jacobs, I joined Michael Roytman and  Alex Pinto for a lively conversation about how we all got into the data analysis side of information security and where we see it going.

The podcast and also the web site and blog are associated with a new book with the same title, Data-driven Security, authored by Bob and Jay. I was technical editor, so I can honestly say that I've read the whole book. I heartily recommend it to any information security professional or manager. It is a perfect "on-ramp" into data science and visualization as applied to information security, and it's written in your language.

Why I am not boycotting #RSAC

I'm scheduled to speak at the RSA Conference, San Francisco.  Many prominent speakers have decided not to speak in protest.  I've decided to follow through with this speaking engagement.

I'm bothered by the events and actions that have prompted the boycott -- a secret deal between the NSA and RSA to promote a weakened cryptography system.  I share most of the concerns and strong objections that the protesting speakers have expressed.  I have decided that, in this case, the benefits of speaking and engaging with attendees outweighs the value of a protest action.

(Edit: But I will be wearing an Electronic Frontier Foundation t-shirt and will give them a shout-out, so that's something.)