Thursday, June 10, 2010

Numbers and Metrics

Before I get to an analysis of FISMA reforms and their potential impacts, I wanted touch on something that has been biting my ass for a little while.

I get asked to justify my existence and what I provide as a return on investment. As part of that, I have tried to quantify the value of an information security or risk management program. If this were a normal blog, I would launch into a diatribe replete with all the necessary management buzz words, catch phrases and witty clich├ęs. This is not a normal blog, so if that is what you are looking for then you can move on.

Much of the time information system risk management is based on existing risk assessment and monitoring frameworks, either insurance or financial or whatever. My opinion is that those don't work. Mainly, because those metrics are difficult for everyone to understand and they are basically rigged out to screw a customer. In the information systems world, the risk management framework needs to HELP a customer. I could be totally wrong though, but these frameworks are developed by corporations with a profit motive (not that there's anything wrong with that).

The other weak link in the chain (for me) is that even for quantitative frameworks, there is still room to fudge the numbers by a single person or data input. When you are assessing a mortgage for risk there is a history for a person, history for the house and the general climate of the market. All of which let us down in the recent past, due to securitization, greed and complicated schemes to make it all look good. There isn't a lot of room for that in the information security world.

I know what also isn't working - technical numbers. Number of viruses caught by AV, IDS true/false positive rates, percentage of environment patched. These don't work because MBA can see a 90% as pretty good. The problem with this is that even when you are at 100% there is still an unknown number of zero-day exploits in deployed software and there is still the element of human failures (lack of knowledge, misconfiguration and outright theft).

This wasn't supposed to sound all doom and gloom though. I am pointing out that somehow we as a community are doing something wrong. But please comment if you have had success in this arena. I have not seen it yet.

My idea:

I have been a fan of Eli Goldratt and the Theory of Constraints for about 10 years now, and I would love to figure out a way to apply ToC to information system risk management. You will notice I didn't say information security because a holistic risk management program includes operational and security risks.

For a couple of reasons: it is flexible for a dynamic environment, it depends on the improvement processes and the measurements for success are easy to understand.

Where's my white board?


Anonymous said...

I too am a fan of the work NIST has done, but how do you argue against the naysayers like Alan Paller who recently testified on the hill?

Especially when they have such convincing evidence to point out why FISMA has failed?

Check his testimony out below:

Fan of cyberhiker!

Chris said...

I would start with saying that Paller hasn't done any compliance work under FISMA ... ever.

I believe that the only reason that he gets invited to be listened to is that he actively lobbies Congress to be asked to testify.

I would also say that most organizations don't actually implement 800 series guidance to the fullest extent possible. They stop short for whatever reason. I've mentioned before that FISMA is about standing up a meaningful risk-based infosec program not following 20 disparate controls with little no strategy.

Lastly, I would point out that politicians don't understand the nuts and bolts of information security.

I could get more specific if you wanted to contact me directly.

Alex Hutton said...

Hey, Chris!

Patrick Florer a big ToC advocate, too, and would probably love to talk to you about it.

Let me encourage you to join SIRA and post a note about ToC!