eBook - ePub
Metrics and Methods for Security Risk Management
Carl Young
This is a test
Share book
- 296 pages
- English
- ePUB (mobile friendly)
- Available on iOS & Android
eBook - ePub
Metrics and Methods for Security Risk Management
Carl Young
Book details
Book preview
Table of contents
Citations
About This Book
Security problems have evolved in the corporate world because of technological changes, such as using the Internet as a means of communication. With this, the creation, transmission, and storage of information may represent security problem.
Metrics and Methods for Security Risk Management is of interest, especially since the 9/11 terror attacks, because it addresses the ways to manage risk security in the corporate world. The book aims to provide information about the fundamentals of security risks and the corresponding components, an analytical approach to risk assessments and mitigation, and quantitative methods to assess the risk components. In addition, it also discusses the physical models, principles, and quantitative methods needed to assess the risk components. The by-products of the methodology used include security standards, audits, risk metrics, and program frameworks. Security professionals, as well as scientists and engineers who are working on technical issues related to security problems will find this book relevant and useful.
- Offers an integrated approach to assessing security risk
- Addresses homeland security as well as IT and physical security issues
- Describes vital safeguards for ensuring true business continuity
Frequently asked questions
How do I cancel my subscription?
Can/how do I download books?
At the moment all of our mobile-responsive ePub books are available to download via the app. Most of our PDFs are also available to download and we're working on making the final remaining ones downloadable now. Learn more here.
What is the difference between the pricing plans?
Both plans give you full access to the library and all of Perlegoâs features. The only differences are the price and subscription period: With the annual plan youâll save around 30% compared to 12 months on the monthly plan.
What is Perlego?
We are an online textbook subscription service, where you can get access to an entire online library for less than the price of a single book per month. With over 1 million books across 1000+ topics, weâve got you covered! Learn more here.
Do you support text-to-speech?
Look out for the read-aloud symbol on your next book to see if you can listen to it. The read-aloud tool reads text aloud for you, highlighting the text as it is being read. You can pause it, speed it up and slow it down. Learn more here.
Is Metrics and Methods for Security Risk Management an online PDF/ePUB?
Yes, you can access Metrics and Methods for Security Risk Management by Carl Young in PDF and/or ePUB format, as well as other popular books in Business & Information Management. We have over one million books available in our catalogue for you to explore.
Information
Chapter 1. Security threats and risk
Threats are illogical. â Sarek.
âJourney to Babel,â Star Trek, Stardate 3842.3
1.1. Introduction to security risk or tales of the psychotic squirrel and the sociable shark
Ask a hundred people to state the difference between threat and risk and you will likely get a very diverse set of answers. I often ask this question when interviewing candidates for a security-related job. Even those who assess risk for a living are often stumped when asked for a working definition of these two terms. To complicate matters, colloquialisms abound to include âmanaging risk,â ârisk relevance,â âconcentration of risk,â ârisk free,â and ârisk averse.â Each implies something tangible if not downright quantifiable.
Many of us rely on intuition biased by cultural norms and wishful thinking to make important decisions that one might broadly characterize as ârisky.â These decisions include buying and selling property, taking a job versus attending school, and even (or especially) getting married. Is intuition alone sufficient to reach appropriate decisions in these matters? More generally, how well equipped are we to assess risk and how successful are we at doing so?
Although engaged couples probably do not want to think of marriage as a problem in risk management, one might get a completely different perspective from the legions of divorced couples. Let's examine what I unromantically choose to call marital risk. More precisely, we wish to examine the likelihood that a marriage contract between two individuals (any gender) will be terminated before death does them part.
Unfortunately I am not certain there is a reliably predictive model for marital risk factors. I instinctively feel such deliberations are better left to the numerous books on interpersonal relationships found in the self-help sections of bookstores. Most couples probably assume the standard marital problems apply to everyone else as they blissfully stroll down the aisle and enter the ranks of a very robust statistical model.
However, it may be relevant to point out that according to generally accepted but admittedly anecdotal reports, between 40 and 50% of all marriages in the United States end in divorce. Despite the universal optimism on the part of newly married couples, divorce lawyers continue to make a nice living. Does marriage carry a special form of risk or is the decision to marry so burdened by emotion that people just ignore the risk factors? Is each case so unique that historical data are irrelevant? The reliability of predictions on the likelihood of future incidents based on historical precedent is an especially critical issue and is often encountered in security risk scenarios.
There seems to be little question about the right way to mitigate the financial risks associated with marriage: the arguments for a prenuptial agreement seem downright compelling. This is especially true if one or both parties have any appreciable assets. Imagine contemplating another type of business arrangement where there was a 40 to 50% historical likelihood of failure. Would you hesitate in obtaining some form of insurance, especially a policy with relatively low premiums that clearly offers an effective hedge against potential losses?
Hopeless romantics might argue that the presence of the agreement enhances risk. Possibly so, but a low-cost agreement that limits the exposure to financial loss certainly sounds like a good idea. This notion probably resonates more with those who have been divorced and have the scars to prove it. Why are these agreements not standard practice? Why is there such resistance to the idea? One guess is that emotion has a vitiating effect on some risk decisions. Sadly, I believe that most marriages utilize a common and flawed risk mitigation strategy of assuming a low likelihood of threat occurrence (i.e., divorce) at the expense of threat vulnerability. This very issue will be discussed in more depth when the psychotic squirrel and the sociable shark are introduced.
Let's take a step or two back in time and speculate on how our ancestors may have dealt with decisions that were critical to their survival. Our prehistoric forebears probably had to do some serious risk assessing when facing the threat of a hungry saber-toothed tiger. It might be surmised that on average our distant relatives made the better risk decisions since we are still around and the poor feline has been relegated to a fossilized relic. In fairness, other forces probably contributed to the animal's demise, but it is clear that humans have been the more resilient of the two species.
Even if such judgments served humans well thousands of years ago, it is not clear that the âfight or flightâ instinct is particularly relevant to humans nowadays. In the old days, the consequences of a bad choice were clear-cut, and over time, the forces of evolution were unforgiving. Less adaptable species succumbed to extinction. Although possessing inferior physical prowess when compared to the tiger, humans shifted the odds in their favor through superior intellect. They developed weapons and techniques that were incorporated into increasingly successful hunting strategies. In the process they might have developed an intuition about the risk of confrontations in general. Some of their less cerebral adversaries continued to rely on instinct for survival, and instinct alone for some species proved to be a losing strategy in the face of unassailable forces.
Humans thrived as other species became extinct through predation, changing climates, natural disasters, etc. This might support the notion that humans continue to be relatively adept at decisions on risks that impact physical survival but are not so adept at other risk decisions. It would be interesting to contemplate the effect on our approach to marital risk if lousy marriages resulted in a 40 to 50% death rate rather than divorce. I suspect those who modified their behavior would be the surviving members of the species and evolve into individuals highly attuned to marital risk.
Consider a common physical threat that we face each day; namely being hit by a car. How many times have you crossed the street in the midst of traffic or even flagrantly ignored the âDon't Walkâ signal and miraculously lived to tell about it? Somehow you successfully determined whether you were likely to get flattened and acted appropriately. Maybe it is just not that difficult a problem, although judging from the prevalence of road kill it seems that less enlightened species often get it wrong.
Perhaps we are attuned to the relevant risk factors such as how fast we can run relative to the speed and distance of approaching vehicles. Also, we successfully ignore minor distractions when faced with the prospect of becoming a hood ornament on a late model Mercedes. We tend to concentrate our attention on this problem as we are acutely aware of the consequences of a mistaken calculation.
It is not a stretch to say that most humans are fortunate to muddle through modern life without the need to worry about physical threats to the same degree our ancestors did. That is partly because, for most of those reading this book, the conditions of modern living obviate the need to make the life-and-death assessments our ancestors confronted each day just to survive. Perhaps it is strange that we may not be as well equipped to assess risk associated with modern threats which seem inherently less serious.
Also, as a species we do not seem to be improving much in the risk management department, although evolutionary timescales are quite long so the jury may still be out. My guess is that the effect of evolutionary pressure on modern humans through natural selection has lessened based on our ability to overcome life-threatening hardships through advances in science, engineering, medicine, etc.
Notwithstanding their penchant for self-destruction and a seemingly endless capacity to inflict misery on each other, humans tend to be more rational than other species with which we share this planet. Before qualified academics attack my credibility for such a ridiculous statement, I do not mean that animals do not behave in effective ways that have evolved over time to increase their probability of survival. But through sheer brain power humans have created environments where their daily survival does not depend on a physical response to threats. We now confront risk problems of a different kind. These rely on analytical processes for which evolutionary pressures may not play as significant a role in the survival of the species.
Maybe we can turn to a slice of modern recreational life for insight into the more general problem of risk management. Examples of risk mitigation strategies can be found in baseball, America's national pastime. Endless repetitions of similar scenarios executed under highly controlled conditions provide mountains of historical data that have been used to develop effective methods of âsurvivalâ by winning teams.
For example, changing pitchers to counter a particular hitter or aligning fielders to adjust to a hitter's propensity to hit to one side of the field (recall the famous âTed Williams shiftâ) are examples of standard moves that might be witnessed in any game. Each move represents a calculated effort to strategically decrease the odds of your opponent scoring runs. Conversely, the team at bat has its own set of strategies intended to improve the odds of scoring runs. Both the offense and defense in baseball exploit a veritable avalanche of statistical data used to evaluate player performance and execute a team's respective strategies.
However, exclusively statistical analyses can lead to counterintuitive results. For example, an interesting analysis was conducted that utilized the full set of batting data from the inception of baseball to the present. 1 That study used a so-called Monte Carlo simulation to estimate the likelihood that a baseball hitting streak would exceed the current record of 56 games. The results were quite surprising. Fifty-six consecutive games by an individual player was not the longest expected streak, and Joe DiMaggio was not the likeliest of hitters to establish the record. The results of this simulation will be discussed in Chapter 4, since they are instructive on several levels.
Statistical representations are inherently generalizations, and probabilities do not imply certainty for a given situation. Each scenario is somewhat unique as players do not react the same way even under virtually identical conditions. Despite the volume of historical information, managers sometimes get burned when playing the odds and other times win big when relying on a hunch. For example, a manager might notice something tentative about a hitter that day or observe a flaw in a pitcher's mechanics and choose to ignore conventional wisdom. If things go well, the team's manager will be hailed as a genius in the next day's sports columns. If they do not go as hoped, the manager will be pilloried and too many gaffes of this kind will result in a precipitous loss of dugout privileges. Expectations and accountability run high in the transparent world of professional sports.
Statistical rigor alone is not always sufficient to minimize risk even in a highly structured world like baseball. So despite fantasies to the contrary, even the most intense math geek would not necessarily be a successful baseball manager. Consistently successful managers probably combine attention to statistics with leadership and intuition, the latter garnered through years of playing or managing. Paraphrasing a line from the film From Russia with Love: practice is nice but experience is everything. My contention is that analytical rigor and intuition based on experience are both relevant to evaluating risk. Furthermore, I suspect that individuals who are able to apply both in the correct proportion and at the right time are most likely to be successful in their respective endeavors.
I often successfully exploit intuition based on experience to make rough estimates of risk that affect my behavior. For example, when I go running in Central Park I am completely unfazed by the prospect of sharing the turf with the many squirrels that call this urban sanctuary home. Experience has taught me that the average squirrel would not attack humans and that it would be an extraordinarily hostile or demented little beast who would do so. Based on countless observations, I have informally concluded that squirrel behaviors are benign with respect to humans and a display of unprovoked aggression by a squirrel would represent an extremely rare event.
However, and this is an important point, even if I have misjudged the potential for an attack I am confident that I could fend off my assailant based on my modest size advantage. Therefore, in addition to an assessment of the potential for an attack as low, my vulnerability to injury is limited. I might add that I do not feel the same about large dogs or neurotic parents pushing strollers, so I assiduously avoid crossing their respective paths whenever possible.
It seems okay to grossly misjudge the likelihood component of risk if it can be compensated for by reducing the vulnerability to loss. But it is very important to correctly identify and understand the relative contributions of each component when assessing and mitigating risk, especially if your life depends on it. Surprisingly, even the smartest people get it wrong when leveraging personal experience to make judgments on risk; sometimes with significant consequences.
I observed a fantastic example of this while viewing a DVD on sharks. A prominent ichthyologist was demonstrating the indifference of bull sharks to humans as he and a journalist stood in waist-deep water with a school of these 500 lb. eating machines. As the sharks circled gracefully about their human hors d'oeuvres, the journalist nervously mentioned that he would only tempt fate in this way if accompanied by this world renowned scientist. This gives new meaning to the admonition âDon't try this at homeâ and is clearly nonsensical. When your plane is about to crash, it doesn't help that Chuck Yeager is sitting next to youâŠ.unless he's flying the plane.
No sooner had the ichthyologist finished remarking how the sharks were oblivious to humans, presumably confirming his theory of shark behavior, when one of his heretofore indifferent swimming partners took a big bite out of his calf. In fact, the animal came close to dragging him off to deeper water to finish the job. It seems the ichthyologist may be a good biologist but is downright lousy at risk management.
The mistake here seems obvious to anyone who has ventured into water outside of a bathtub, but let's be precise. First, he misestimated the potential for bad things to happen even though he has probably observed sharks many times. My guess is that this gruesome event is not the statistical outlier in the same way as my fantasized encounter with a psychotic squirrel. What is absolutely certain is that the shark expert believed that a smallish likelihood component of risk would compensate for a rather significant vulnerability component; severe injury or death was always just one chomp away. The expert was supremely confident in his understanding of shark behavior and clearly assessed the potential for an attack as low.
Maybe the likelihood component of risk in this scenario is indeed low and the incident is a statistical outlier in the spectrum of possible shark behavioral outcomes (it would be difficult to do a simulation similar to the one analyzing hitting streaks in baseball). However, I would venture a guess that âaverageâ bull shark behavior toward humans is considerably different than that of squirrels, and that even a small deviation from bull shark average behavior might be considered extremely aggressive. In statistical terms, the distribution of bull shark behaviors is quite narrow and peaks at about a relatively aggressive mean value. To put it more graphically, if our ichthyologist attempted this foolishness a million times there is a decent chance he would be missing a few body parts.
But the more salient problem from a security risk manag...