The focus of many of my projects is on risks. I’ve observed through multiple assessments in various companies and industries a lack of formalised risk management process. Some of the plans may exist but they are not linked to specific risks and risk reduction levels are not being measured and reported on appropriately.
The security function can be effective in responding to incidents but the strategic risk-driven planning is often missing. The root cause of this state of affairs is often can be generalised as low maturity of the security function. If that’s the case, the team spends most of its time fighting fires and have little capacity to address the challenges that cause these fires in the first place.
To address this, I assess current state of the security function, define the target maturity level and then develop a high-level roadmap to achieve that desired state.
If the company is geographically distributed, noticeable differences usually exist between a number of business units in terms of overall policy framework. The suggestion here is to define a baseline level of security controls across the entire enterprise. The first step in defining these is to understand what we are trying to protect – the assets.
Modern corporations own a wide range of assets that enable them to operate and grow. They broadly include physical and non-physical assets, people and reputation. Engagement from appropriate parts of the business to identify these is important here as potential attacks to these assets might negatively affect the operations.
By understanding the assets we are able to better identify risks, enable effective detection and response, and prioritise controls and remediation efforts better.
It also helps to conduct a bottom-up review of assets to understand what exactly we’ve got there, focusing on the most critical ones and creating and updating asset inventories.
Understanding the asset base and setting standards and guidance for protecting them will focus the efforts and help you prevent and better respond to security issues.
Assets are tightly linked to threat actors, because it’s not enough to know what we need to protect – we also need to know what we are protecting our assets against. Threat actors vary in their motivation and ability and – depending on the company – include nation states, organised crime, insiders, hacktivist, competitors, etc.
A combination of assets and threats helps us to define risks.
Identifying risks and placing them on a heat map helps determine the inherent, residual and target risks. Inherent risks show the level of risk assuming all the controls or remediating measures were absent or failing. Think of it as if security function didn’t exist. It’s not a happy place where we see the majority of risks have high impact and likelihood being in the top right hand side corner of the chart.
Luckily, security function does exist and even if they don’t have a formalised risk management process, they are usually doing a good job in addressing some of these risks.
Current level of risk is taking into account all the controls and remediating measures in place. The initial impact and likelihood is usually reduced and sometimes to an acceptable level agreed by the business. The idea here is although further reduction of impact and likelihood is possible, it might not be cost-effective. In other words, the money might be better spent in addressing other risks.
Target risks is the future state risk level once additional controls and remediation measures are implemented by the security team.
The main takeaway here is that a formalised risk management approach (with accompanying processes and policies) is needed to ensure all risks are identified and tracked over time, and the appropriate resources and efforts are spent on the top priority risks.
“So often information security is viewed as a technical discipline – a world of firewalls, anti-virus software, access controls and encryption. An opaque and enigmatic discipline which defies understanding, with a priesthood who often protect their profession with complex concepts, language and most of all secrecy.
Leron takes a practical, pragmatic and no-holds barred approach to demystifying the topic. He reminds us that ultimately security depends on people – and that we all act in what we see as our rational self-interest – sometimes ill-informed, ill-judged, even downright perverse.
No approach to security can ever succeed without considering people – and as a profession we need to look beyond our computers to understand the business, the culture of the organisation – and most of all, how we can create a security environment which helps people feel free to actually do their job.”
David Ferbrache OBE, FBCS
Technical Director, Cyber Security
“This is an easy-to-read, accessible and simple introduction to information security. The style is straightforward, and calls on a range of anecdotes to help the reader through what is often a complicated and hard to penetrate subject. Leron approaches the subject from a psychological angle and will be appealing to both those of a non-technical and a technical background.”
Dr David King
Visiting Fellow of Kellogg College
University of Oxford
Scientists in various fields adopt statistical methods to determine relationships between events and assess the strength of such links. Security professionals performing risk assessments are also interested in determining what events are causing the most impact.
When analysing historical data, however, they should remember that correlation doesn’t always imply causation. When patterns of events look similar, it may lead you to believe that one event causes the other. But as demonstrated by the chart above, it is highly unlikely that seeing Nicolas Cage on TV causes people to jump into the pool (although it may in some cases).
The Psychology of Information Security – Resolving conflicts between security compliance and human behaviourPosted: November 26, 2015
In today’s corporations, information security professionals have a lot on their plate. In the face of constantly evolving cyber threats they must comply with numerous laws and regulations, protect their company’s assets and mitigate risks to the furthest extent possible.
Security professionals can often be ignorant of the impact that implementing security policies in a vacuum can have on the end users’ core business activities. These end users are, in turn, often unaware of the risk they are exposing the organisation to. They may even feel justified in finding workarounds because they believe that the organisation values productivity over security. The end result is a conflict between the security team and the rest of the business, and increased, rather than reduced, risk.
This can be addressed by factoring in an individual’s perspective, knowledge and awareness, and a modern, flexible and adaptable information security approach. The aim of the security practice should be to correct employee misconceptions by understanding their motivations and working with the users rather than against them – after all, people are a company’s best assets.
I just finished writing a book with IT Governance Publishing on this topic. This book draws on the experience of industry experts and related academic research to:
- Gain insight into information security issues related to human behaviour, from both end users’ and security professionals’ perspectives.
- Provide a set of recommendations to support the security professional’s decision-making process, and to improve the culture and find the balance between security and productivity.
- Give advice on aligning a security programme with wider organisational objectives.
- Manage and communicate these changes within an organisation.
Based on insights gained from academic research as well as interviews with UK-based security professionals from various sectors, The Psychology of Information Security – Resolving conflicts between security compliance and human behaviour explains the importance of careful risk management and how to align a security programme with wider business objectives, providing methods and techniques to engage stakeholders and encourage buy-in.
The Psychology of Information Security redresses the balance by considering information security from both viewpoints in order to gain insight into security issues relating to human behaviour , helping security professionals understand how a security culture that puts risk into context promotes compliance.
In my previous post I discussed free online courses in information security. Here I would like to share a few more resources.
Thom Langford: Security risk is just one of the many types of risks a business faces on a day-to-day basisPosted: June 10, 2014
Interview with Thom Langford, Director of security risk management
Could we start with your personal story: your beginnings and how you got to where you are.
I was always interested in computers. My first computer was a Sinclair Spectrum 48K. I’ve always had a technology fascination. I got very much into this during school and university, and my first job was as a VAX/VMS operator, running overnight batch jobs. It was a physically tiring job, as we had to print 70,000 to 100,000 pages at night to have them delivered to the client and a 24-hour shift system, which got me to learn how to work under pressure. I then got into PCs in a big way, and moved from supporting Autodesk CAD products, to being an IT manager for a small systems integration company in Swindon. When the company was bought out by Coopers and Lybrand and subsequently merged with Price Waterhouse, to become PwC, I became known as a “builder of things”. I built a retail solutions centre, both the technology and the physical environments, from the ground up.
I subsequently built a client showcase development centre in Heathrow, a fast-track product delivery centre in London, and was also doing client work in Swansea building an innovation centre. Again, this included building both the IT as well as the physical environment: buildings, walls, the electrics and the soft furnishings, everything, basically.
I then moved to Sapient as an IT and facilities manager, which was a bit of an odd combination, although a natural move given my previous experience. I was doing that job for a number of years, initially for London and then for our global offices, when I noticed a gap in our capabilities around security, disaster-recovery and business continuity. I then spoke to one of our C level executives, and he agreed. He broadened the scope somewhat further and then asked me to start 10 days later. So it was a very rapid move for me into security. Even though I had already had a strong background in physical and IT security, this was a very different world for me. I tried to get qualified very quickly, which is something that is very difficult when you have little to no budget, which happens when you start mid-year. So I basically begged, borrowed and stole everything. We brought together a team and got a CISO on board and that’s basically where we are today. Right now I am the acting CISO. I am responsible for teams based out of India and North America, working to strengthen our security posture both internally as well as to the industry.
You are responsible for risk management. What is your view on risk management in general? How do you think is your view different from others, if at all?
I think everybody has a view on risk management, and it is not always a good one. Traditionally, risks are seen as bad and that have to be removed. They never change and the same risks are going to be there all the time. This was, at least, my perspective in the beginning. Everything is static and you live in the world of Excel spread sheets: you list your risks in them, you list what you are going to do about them, how you are going to measure them, and then you decide whether you’ve fixed them or not. Nobody was able to tell me whether a risk was acceptable or otherwise. This was basically as far as I saw, within my responsibility: to act as the conscience of a company, because that was my job. That attitude has changed for me a lot in the last 4 years. If you are the conscience of the business, the business will be stifled quite dramatically because of your security implementations. Actually, all you are doing is reducing their ability to work effectively because you don’t see the big picture of how the business operates.
Security risk is just one of the many types of risks a business faces on a day-to-day basis: socioeconomic, financial, geopolitical, legal, personnel, everything has to be taken into account. To say that a business cannot carry out an activity based on one aspect or one facet of risk, I think, is the entirely wrong thing to do. You should act more as an enabler and to become more of a yes person than a no person.
When identifying risks you will probably need the help of different stakeholders. How do you identify these different stakeholders? How do you manage the relationship with them? How do you get people to speak up?
Risk in security is just one facet of security in any business. So any enterprise should have a risk committee that is composed by a delivery group, a legal group, a financial group, etc. As long as you are measuring your risks in the same way, whether it’s in ordinal numbers or any kind of format that makes sense, those risks will be filtered as they rise up through the organisation. So if you have, for instance, 1000 security risks on your risk register, a single figure of risks should be reaching the very top of the organisation. Any more than that is an indication of people not being empowered enough to deal with risks as they emerge. Not everybody in the organisation will be able to address a risk, and so therefore, it needs to be escalated.
Escalation is not a bad thing: it’s about getting people who are better qualified or more capable or have more authority of dealing with something than you are. Not because you are incapable, but because they are in a better position than you to do so. So from the thousands that arise at the very bottom level, only a few will reach the higher levels, where they can be better dealt with.
As far as stakeholder management, it is much easier to deal with senior level stakeholder management and just seeing the very tip of the iceberg. As long as they are empowering everyone else and they can be sure that they have the tools to deal with the bulk of it all, the easier it is. This way you don’t have to deal with this vast spreadsheet concerning every single case. By empowering everybody in the organisation, it is easy for them to see why it is important to deal with risks directly. If the people at the top levels don’t want to deal with the stuff that reaches them, they basically delegate it to somebody else back down, in which case, it is being dealt with in the end.
So filtering is one approach, which is about empowering people at various levels of the organisation to recognise and deal with the risks as they feel appropriate and qualified to do so.
There are two main trains of thought in information security, namely, compliance-based and risk-based. What’s your approach, and why do you think is it more beneficial?
I think compliance is extremely useful, but it is not the be-all and end-all. Let’s say that you are using ISO 27001, for example, where measuring risk is a core part of it. But if all you are trying to do is to get the certification, you’re only engaging in security theatre. You’re only doing what is required to get the auditor happy and you are ticking things off and writing procedures, but nobody really knows anything about it. Nobody is paying any actual attention to it, apart from that one day in which you make sure that the right people are in the right office, and the auditor has that long lunch that you need, etc. So it’s a start, but it is not the way to go.
Whereas a proper risk-based approach will actually make that conversation continue way beyond the initial compliance. It’s a bit of an old argument “compliance doesn’t equal security”, which it can be if it is taken in the right sense and with the right approach. But all too often, organisations will stop at compliance and not continue with real risk-based security. An example of that is a risk register that is only looked at once a year: that is compliance. A risk register should be looked at on a regular basis to ascertain that risks haven’t changed, or if likelihoods haven’t changed, or if exploitations have changed, if risk appetites have changed within the organisation, for example. If it becomes a living and breathing document, then you are looking more at a risk-based approach to security. If it’s just a mechanical once-a-year, tick-tick-tick format, then you are in a compliance environment.
What should companies do in order for them to shift from this traditional compliance approach to the risk-based one?
I think that it is about coming back to understanding what are the benefits of security and the objectives of the business. If you can connect the benefits of your security program to the ability for a company to sell more of its products, to safely enter riskier markets (because they are able to handle their data more securely), to give confidence to their clients, to bring confidence to the industry (or to whatever regulatory body that looks after them), then that’s when you can actually get more done as a result of your security program. If you are just doing security for security’s sake, we go back to being just a conscience again.
So it’s about connecting your security programme to the goals of the business. If you haven’t even read your company’s annual report, how do you know what your security programme is supporting? If you haven’t attended a shareholder meeting or an earnings call, you can’t really know what you are doing. You only have to do this a few times to get your bearings. If you don’t understand what the core purpose of the business is, how can you actually align your security with it? It’s like IT giving out computers with Linux and Open Office when the company actually needs Windows with Microsoft Office. Linux and Open Office are perfectly acceptable approaches, but the choice for them is not aligned with the business’ needs, which probably include cross-compatibility and other functions that only Microsoft Office can do. If you don’t know what the business needs from security, you need to find out: talk, listen, read, whatever it takes to find out what it is that the business needs from you.
Let’s say that you are assigned as security manager within a company. What are the first things that you would do in your first weeks?
You need to talk: you talk as broadly and as highly as you need to understand where you are standing and what is required. Talk to as many people as possible. For instance, if you are in a manufacturing plant, you start by talking to the people on the shop floor and see how they operate. Talk to the shift leaders and the managers there. If you are consultancy, start by talking to the programme directors, to the business development people and to the partners. It doesn’t matter where you are: start talking from the ground upwards, so you actually understand what it is they do and how they do it, what they need and what they know.
These conversations might be very short, or you might run into people who don’t know much, in which case you are starting with a blank slate and you can bring your own influence onto them. If the floor leader tells you that smokers are leaving the shop doors open to go have their cigarette break, well, that’s a problem you have already identified. It’s a small issue, but potentially important. If you start solving their problems, perceived or otherwise, then you start to build fanatical advocates for security.
If you understand that the CFO’s primary goal is to ensure that he’s able to get reports and the payroll out on a monthly basis, then you can start focusing more on the integrity and availability of the data. You can then prioritize for a disaster-recovery and business continuity, so that they have the confidence that what you are actually doing is helping them do their job more easily and they are able to sleep at night. If you CFO is staying awake the night before payday because he’s not sure if his Oracle systems are going to stay up and running overnight, then that’s a problem that you can fix. So you need to communicate, talk and listen: in fact, listen twice as much as you talk, because you’ve got two ears and one mouth, and find out what peoples’ problems are, perceived or otherwise.
Nasim Taleb in his book The Black Swan provides the following examples of Mirage Casino’s four largest losses:
- $100 million from a tiger mauling
- Unsuccessful attempt to dynamite casino
- Neglect in completing tax returns
- Ransom demand for owner’s kidnapped daughter
How many of these losses could’ve been identified and managed appropriately?
John Adams in his research Risk, Freedom and Responsibility suggests that “Risk management is not rocket science – it’s much more complicated.” He further elaborates on this point in his research: “The risk manager must […] deal not only with risk perceived through science, but also with virtual risk – risks where the science is inconclusive and people are thus liberated to argue from, and act upon, pre-established beliefs, convictions, prejudices and superstitions.”
According to Adams, there are three types of risk:
- Directly perceptible risks are dealt with using a proper judgment. “One does not undertake a formal, probabilistic, risk assessment before crossing the road.”
- Risks perceived through science are subject to formal risk managementprocess. “Here one finds not only biological scientists in lab coats peering through microscopes, but physicists, chemists, engineers, doctors, statisticians, actuaries, epidemiologists and numerous other categories of scientist who have helped us to see risks that are invisible to the naked eye. Collectively they have improved enormously our ability to manage risk – as evidenced by the huge increase in average life spans that has coincided with the rise of science and technology.”
- Virtual risk is not perceived through science, hence people are forced to act based on their convictions and beliefs.“Such risks may or may not be real, but they have real consequences. In the presence of virtual risk what we believe depends on whom we believe, and whom we believe depends on whom we trust.”
Klein in his Streetlights and shadows: searching for the keys to adaptive decision making suggests the following issues with risk management:
- It works best in well-ordered situations
- Fear of speaking out may result in poor risk identification
- Organisations should understand that plans do not guarantee success and may result in a false sense of safety
- Risk Management plans may actually increase risk.
Klein also identifies three risk decision making approaches:
- Prioritise and reduce
- Calculate and decide
- Anticipate and adapt
To illustrate individual’s decision-making process while dealing with risk, Adams introduces another concept called “Risk thermostat”
The main idea behind it is that people vary in their propensity to take risks which is influenced by the perception of risk, experience of losses, and potential rewards.
People tend to overestimate spectacular but rare risks, but downplay common risks. Also, personified risks are perceived to be greater than anonymous risks.
The protection measures also can be introduced to only increase perceived security, rather than implement actual mechanisms. A possible example might be using National Guard in airports after 9/11 to provide re-assurance. However, such a security theatre has other applications in relation to motivation, deception and economics.
Finally, Adams discusses the phenomenon of risk compensation and appropriate adjustments which take place in the risk thermostat. He argues that introducing safety measures changes behavior: for example, seat belts can save a life in a crash, so people buckle up and take more risks when driving, leading to an increased number of accidents. As a result, the overall number of deaths remains unchanged.