You CAN Stop Stupid
eBook - ePub

You CAN Stop Stupid

Stopping Losses from Accidental and Malicious Actions

  1. English
  2. ePUB (mobile friendly)
  3. Available on iOS & Android
eBook - ePub

You CAN Stop Stupid

Stopping Losses from Accidental and Malicious Actions

About this book

Stopping Losses from Accidental and Malicious Actions

Around the world, users cost organizations billions of dollars due to simple errors and malicious actions. They believe that there is some deficiency in the users. In response, organizations believe that they have to improve their awareness efforts and making more secure users. This is like saying that coalmines should get healthier canaries. The reality is that it takes a multilayered approach that acknowledges that users will inevitably make mistakes or have malicious intent, and the failure is in not planning for that. It takes a holistic approach to assessing risk combined with technical defenses and countermeasures layered with a security culture and continuous improvement. Only with this kind of defense in depth can organizations hope to prevent the worst of the cybersecurity breaches and other user-initiated losses. Using lessons from tested and proven disciplines like military kill-chain analysis, counterterrorism analysis, industrial safety programs, and more, Ira Winkler and Dr. Tracy Celaya's You CAN Stop Stupid provides a methodology to analyze potential losses and determine appropriate countermeasures to implement.

  • Minimize business losses associated with user failings
  • Proactively plan to prevent and mitigate data breaches
  • Optimize your security spending
  • Cost justify your security and loss reduction efforts
  • Improve your organization's culture

Business technology and security professionals will benefit from the information provided by these two well-known and influential cybersecurity speakers and experts.

Frequently asked questions

Yes, you can cancel anytime from the Subscription tab in your account settings on the Perlego website. Your subscription will stay active until the end of your current billing period. Learn how to cancel your subscription.
At the moment all of our mobile-responsive ePub books are available to download via the app. Most of our PDFs are also available to download and we're working on making the final remaining ones downloadable now. Learn more here.
Perlego offers two plans: Essential and Complete
  • Essential is ideal for learners and professionals who enjoy exploring a wide range of subjects. Access the Essential Library with 800,000+ trusted titles and best-sellers across business, personal growth, and the humanities. Includes unlimited reading time and Standard Read Aloud voice.
  • Complete: Perfect for advanced learners and researchers needing full, unrestricted access. Unlock 1.4M+ books across hundreds of subjects, including academic and specialized titles. The Complete Plan also includes advanced features like Premium Read Aloud and Research Assistant.
Both plans are available with monthly, semester, or annual billing cycles.
We are an online textbook subscription service, where you can get access to an entire online library for less than the price of a single book per month. With over 1 million books across 1000+ topics, we’ve got you covered! Learn more here.
Look out for the read-aloud symbol on your next book to see if you can listen to it. The read-aloud tool reads text aloud for you, highlighting the text as it is being read. You can pause it, speed it up and slow it down. Learn more here.
Yes! You can use the Perlego app on both iOS or Android devices to read anytime, anywhere — even offline. Perfect for commutes or when you’re on the go.
Please note we cannot support devices running on iOS 13 and Android 7 or earlier. Learn more about using the app.
Yes, you can access You CAN Stop Stupid by Ira Winkler,Tracy Celaya Brown in PDF and/or ePUB format, as well as other popular books in Business & Operations. We have over one million books available in our catalogue for you to explore.

Information

Publisher
Wiley
Year
2020
Print ISBN
9781119621980
eBook ISBN
9781119622048
Edition
1
Topic
Business
Subtopic
Operations
Index
Business

II
Foundational Concepts

Ideally, you now have an understanding that the nature of the problem is not necessarily that users make mistakes but that user actions can initiate loss in some form. This empowers you to know that users do not control the destiny of the organization. Instead, your job is to prevent users from making potentially harmful actions and then mitigate the resulting loss.
However, before we detail a holistic strategy, we need to set the foundation for that strategy. We have to ensure there is common knowledge, if for no other reason than to practice what we preach. While many of the disciplines covered in Part II appear unrelated, they all play a part in ensuring a comprehensive strategy.

4
Risk Management

People often mistakenly assume that “mitigating loss” means preventing all potential loss. That is impossible. There will always be some form of loss in operations. Perhaps one of the best definitions of risk is this one from ISO 27000:
Risk is the effect of uncertainty on objective.
Similarly, we want to be careful about what we mean when we discuss “optimizing risk.” People generally believe that minimizing risk implies you should spend whatever it takes to avoid as much risk as possible. Trying to prevent all risk and loss might cost more to achieve than the actual loss you hope to mitigate.
What you are actually trying to do is manage the loss. The concept of balancing potential loss with the cost of mitigating it is called risk management.
As this book specifically addresses user-initiated loss (UIL), including malice and other potential forms of loss, you need to not just understand the concept of risk management as a whole, but also consider it in the context of mitigating the risk that is inherent in users.
This means you need to open your mind to potentially changing workflows and reducing some capabilities of users within your organization. While there may be some pushback against doing this, the reality is that while you are removing the ability of users to initiate loss, you are also simplifying the process and making it more efficient at the same time. In Chapter 1, we discussed the timers for cooking at McDonald's. Removing the discretion of the cooks delivers a more consistent product while reducing the potential stress for “eyeballing” properly cooked food and the inevitable reprimands when food is undercooked or overcooked.
In a traditional white-collar environment, there is usually concern about reducing the capabilities of an employee. However, the capabilities being removed are often those that are unneeded or unused. For example, many organizations provide employees with PCs and knowingly or unknowingly provide those employees with administrator access to their PCs. Having administrator access can enable the employee to potentially make more use of the PC, for example by giving them the ability to load new software, perform preventative maintenance, and so on. However, not all users will perform preventative maintenance how and when they should, and the software they load can create security vulnerabilities due to its source, its configuration, and so on. As a result, having users with admin access also opens the door to more ransomware attacks. In theory, the organization should have a process in place for acquiring software and performing maintenance (generally managed by a technology, security, or management department). Consequently, there are fewer benefits to users having administrator privileges, and those are outweighed by the potential loss.
These are the types of decisions that you have to make during the process of “stopping stupid.” You need to weigh the benefits of giving users specific capabilities against the potential loss those capabilities might cause. This requires a consideration of risk. The better you understand risk, the better you can make such determinations.

Death by 1,000 Cuts

People normally assume that “risk” means the likelihood that something catastrophic is going to happen. In a manufacturing setting, it could mean that an error causes a major recall. From a safety perspective, it could mean that death or a major injury could happen to an employee or a client. From an IT perspective, it could mean that something causes a major network outage and takes down the organization. There is a fallacy that addressing risk merely means that you should try to prevent a disaster from occurring.
A smart risk reduction program looks at the breadth and depth of risks, large and small. The reality is that small risks, in aggregate, add up to major losses. This is the metaphorical death by 1,000 cuts, where a single cut is inconsequential, but with enough cuts, the loss of blood is deadly.
Risk can also include security concerns. The infamous WannaCry worm of 2017 was a worldwide ransomware attack that clearly had the impact to cripple enterprises. While regular malware does not usually have the devastating impact of WannaCry, in aggregate, all of the individual incidents combined add up to an impact that could potentially be as significant, if not worse than, WannaCry.
The concept of total quality management (TQM), discussed in Chapter 12, addresses the fact that small losses throughout a process add up to major losses. For example, if you have a manufacturing process that has 10 steps, and the defect rate is around 1% in each step, in total, your manufacturing process has a defect rate of roughly 10%. That is significant.
It is the same with all disciplines involving security and risk. A single incident involving a small loss may not be recorded. In organizations with strong safety programs, every injury reported, from a small cut to death, is recorded and tracked. However, in most organizations, few incidents are recorded and tracked. As we talk about risk management and security programs deserving more attention and resources, a significant way to begin to improve results is to record and track as many incidents as possible.

The Risk Equation

To address UIL, you need to understand where it comes from. You also need to know where and how to mitigate the loss, and even whether you want to do so in the first place. That might sound counterintuitive. Clearly, you want to mitigate loss as effectively as possible, but only when it makes sense to do so. It is possible that sometimes mitigating a particular loss is more expensive than to actually letting it happen.
To make these determinations, you need to understand how to approach them rationally. Unfortunately, there are many ways people react irrationally when it comes to loss. It is easy to get overwhelmed by anxiety and uncertainty when thinking about loss. It is also easy to be lulled into a false sense of security and ignore loss altogether, because a major loss seems so unlikely, while a minor loss seems unnecessary to worry about.
A similar problem is when organizations resign themselves to loss as a seemingly inevitable cost of doing business. This fallacy is where the sentiment of the user as the weakest link comes from. There is always something that can be done, but organizations, or more specifically, the people within the organization responsible for addressing the problem, don't know where to start or perceive it as useless to try.
To approach risk more rationally, it helps to think of it in terms of value, threats, vulnerabilities, and countermeasures and how they relate to each other. Figure 4.1 represents these concepts as a high-level equation.
An illustration of the risk equation.
Figure 4.1 The risk equation
Looking at Figure 4.1, value is what is at stake. Threats are entities that will do you harm if given the opportunity. Vulnerability is a weakness that can result in harm if exploited. Countermeasures are efforts to mitigate a potential loss.
With specific regard to UIL, we want to differentiate between a threat and a vulnerability. For the purposes of dealing with UIL, you need to understand that a user is actually also a threat. As a threat, users cannot actually initiate loss unless there are vulnerabilities that allow them to do so. And even then, the threat can't successfully exploit those vulnerabilities unless there are insufficient countermeasures to prevent them from doing so.
In other words, yes, a user may have a moment of carelessness or malicious intent. However, the resulting action cannot result in loss unless there is both an environment that allows that user's action to initiate loss and insufficient countermeasures to mitigate that loss. When you understand and embrace the concept of risk from this perspective, you can begin to see UIL is clearly an addressable problem.
In the sections that follow, we will examine each of the elements of the risk equation, beginning with value.
NOTE The risk equation discussed in this chapter is a high-level representation to help deal with risk on a conceptual level. It isn't a mathematical formula intended to be directly used with quantifiable figures. Although some disciplines, such as actuarial science, attempt to quantify risk for business purposes, that isn't our focus. We do, however, discuss practical metrics throughout the book, particularly in Chapter 10.

Value

Value is perhaps the most important element of risk. It is essentially what you have to lose. More important, it is both separately identifiable elements and their totality that you have to lose. Too many organizations and decision-makers misperceive the value that is at risk. Either they have a myopic view as to what value is exposed to loss or they underestimate the potential for overall value to be lost.
Consider, for example, the infamous Sony hack, where North Korea attacked Sony in retaliation for the movie The Interview, which depicted the killing of North Korea's leader, Kim Jung Un. Prior to the attack, the Sony CIO was quoted as saying that he wasn't going to spend $10,000,000 to prevent a $1,000,000 loss. While the logic was sound, the underlying assumption of potential loss was incredibly wrong. Sony didn't lose $1,000,000 in the incident. The combined loss from the interrupted release of the movie, the incident response, the compromise of PII of Sony employees, and the embarrassment resulting from leaked emails, operational interruption, and so on, cost Sony in excess of $150,000,000.
Unfortunately, there a...

Table of contents

  1. Cover
  2. Table of Contents
  3. Title Page
  4. Introduction
  5. I: Stopping Stupid Is Your Job
  6. II: Foundational Concepts
  7. III: Countermeasures
  8. IV: Applying Boom
  9. Index
  10. End User License Agreement