Thursday, April 26, 2007

Go Ask Alec Baldwin

SSL apostate Ian G. refers to an article on estimation of loss due to a privacy breach.

I think we are measuring the wrong thing, and operating on these assumptions is dangerous.

From the article, a Forrester analyst says:

"After calculating the expenses of legal fees, call centers, lost employee productivity, regulatory fines, stock plummets, and customer losses, it can be dizzying, if not impossible, to come up with a true number."
The $90 - $305 range smacks of too much precision and not enough accuracy. Only software project managers can get away with ranges like that. These numbers are more harmful that worthwhile. Most of these factors are not driven by record count (legal fees, stock plummets or lost productivity). Record specific costs are generally lower (call center and postage - and if you lose enough records, you don't even have to mail notices). So let's just call it BTUs per furlong and call it a day. And I don't think "customer losses" is as important in assessing the risk as "losses to customer."

The next Forrester quote underlines the problem I have with the general corporate thinking about privacy breaches:
"Previously, when a company had a data breach, a response team would fix the problem and test the mitigation, then the company would resume normal activities. Now we have to spend time on public relations efforts, as well as assuring both customers and auditors that new processes are in place to guard against such breaches in the future."
The reason you could get away with just fixing it and moving on was because the company did lose anything it owned. What it lost was owned by its customers. Losing one bit of highly sensitive data about one litigious customer could cause more damage that a dozen laptops filled with the SSNs of 10 million people.

It's the "loss to the customer" that will drive your high dollar PR and legal efforts, which have scale, and can dwarf your call center and postage costs in an afternoon.

I'd like to take the data, rehash it according to type of breach, sensitivity of data and litigiousness of customer. Then I think you'd start on the road to a meaningful metric.

Tuesday, April 24, 2007

The Red, Yellow and Green Legos of Judgment

I'm out here in Coyote and Roadrunner land, knee deep in internal auditing. I co-presented yesterday on privacy, as a co-author of an Institute of Internal Auditing publication.

It's been a interesting couple of days, driven in part by the isolation of the location. As attractive as a golf/casino resort may sound, it's not so groovy if you don't golf, don't gamble and didn't have the foresight to rent a car. I can meditate on the cacti, and read. I packed a couple of books to get me in and out of the Internal Auditing mindset: The Digital Person by Daniel Solove (highly recommended), a Kierkegaard anthology (because what is auditing but fear, trembling, and sickness unto death?) and Nassim Nicholas Taleb's The Black Swan (I've been alternately writing "YES!" and "BULLSH*T!" in the margins. (It's my policy to keep the margins safe for work.))

But this morning I had my own inverse Damascus moment, as Bill Power (if that is his real name) of the PCAOB was giving the assembled throng his information technology application auditing method, as demonstrated through a manufacturing case study. It was interesting enough as analysis of manufacturing financial systems go (yes, exactly that interesting), but at the end of his case study it seemed to me that he just plopped Red, Yellow and Green Legos into the risk spaces in his spreadsheet, and chalked it up to judgment. In fact, one of the slides read something like "RISK ASSESSMENT IS ALL JUDGEMENT" (I'd quote directly, but his presentation is not on the conference CD-ROM. I do remember he spelled "Judgment" with two "E"s.)

O.k. Sure. Risk assessment without judgment is pretty worthless. And auditors have an obligation to use their judgment to assess risk. Nonetheless, it doesn't seem worthwhile to go through all this spreadsheetin' and flowchartin' just to get to the point where you pull red, yellow and green Legos out of your velvety Audit Sack of Judgment and snick-snack them on financial information systems and processes master control grid. How about the stuff you don't understand well enough to apply judgment? I'm getting the idea that it's called "Out of Scope."

At what point does "judgment" intersect with "caprice"?

Go ahead, call me naive (if you haven't already). But it's getting dark, and I'm going to see if the cows come back to the hotel parking lot again tonight. This time I'll be ready.

Photo courtesy of The Bill.

Tuesday, April 17, 2007

Apocalypse Pooh

It's a grim world around us. A mass murder turns into a cynical ploy to promote and condemn any issue you care to name, or exploit the grief for naked profit.

How can I deal, in the short term, except for a brief absurd laugh?


Thanks to the Moonshine Mountaineer for the Youtoobage.

Wednesday, April 11, 2007

Sweet Fancy Moses

Lots of odd stuff (mostly from Pogo & Fergie):

Why Justice Went Blind The courthouse security folks in El Paso County can see you nekkid.
"The new machine will not replace the metal detectors already in use at the judicial complex. Instead, it will replace two of the security guards who use wands to screen entrants that set-off the metal detectors. The board of commissioners estimates by replacing the guards with the body scanner the county will save $64,704 a year."
Outstanding! You can see my ass, and fire two guards!

Consumers Are JUMPY! "77 percent of Javelin's respondents said they intend to stop shopping at sites that have experienced data breaches." Well, I'm firing Trans Union, the IRS & Travis County!

ID Theft-O-Meter! - Hold on, where do I put the cost of monitoring my own credit, talking to the police, time spent in jail on false arrest, higher interest rates after a company is careless with my own date? Oh... It for the corporations that lost it. The REAL victims!

NETCOSM! - Just plain cool. I remember something similar years ago, where you used DOOM maps to kill processes on FreeBSD. Yes! PSDOOM.

In defense of controls

Alex is pretty down on ISO 17799.

I think the reasons are that he sees organizations substituting ISO 17799 for risk management FAIR style. Instead of calculating a realistic, customized risk profile, an organization pulls ISO 17799 (or COBIT, though COBIT is less specific to security) off the shelf. The specific controls in the 10 areas are implemented, and therefore they are secure, and risk-free. However, a focus on these areas may not appropriately address the real risk to the organization, and may result in inefficient and ineffective use of resources. (I hope he'll correct me if I'm wrong.)

I think he's right if that is how the standards are implemented, but it is not necessarily the only way they can be used. I'm thinking that if used properly, ISO 17799 could help in implementing controls to reduce the risk identified. He cites an example of using metrics to manage patches. I see it this way:

Risk analysis identifies areas for control.
High value assets on exposed servers are vulnerable to complete compromise from any weak-ass hax0r wannabe, because of well known problems in the OS. The vendor has issued patches, and continues to issue patches on a routine basis.

The control is implemented.
Defining the control is where ISO and Cobit would come in. Once you have decided that it should be done, it can answer the question of how. If others have discovered a way to control the situation that works reliably, I don't see why you wouldn't want to use it. Engineers and accountants do it all the time. At the same time, it must be optimized to meet not only your specific risks, but also your environment and culture. Striking the balance between the universal and specific is the challenge that standards face.

The effectiveness of the control is measured.
A metric could be used to determine the effectiveness of the control, as well as the appropriateness. If you are unable to tell if a control is functioning, it is hard to tell if it is effective. If the server team does not adequately test the patches, or places lower risk items higher in the work queue, your risk is not being mitigated when you think it should be. An armed guard isn't an effective control if he's asleep all the time.

The way I see it, risk assessment is necessary to prioritize controls. Controls are used to manage risk. And metrics are used measure the effectiveness of controls. There are multiple ways any of these can go wrong, but it's a beautiful evening and my motorcycle needs exercise.

Thursday, April 5, 2007


New York Magazine article "The Young Invincibles: A Generation Uninsured" discusses the way uninsured 20-30 year olds in New York deal with health risks (link and commentary from Concurring Opinions.)

The article is interesting study of people who do not participate in the most common health risk management strategy: insurance. Unable to afford it, or "rationally" choosing to be uninsured, they have created their own strategies to minimize exposure. Curtailing snowboarding activities (only the half pipe), daily brushing, and yoga are balanced with careers as bike messengers and retailers. There is a wide range of risk appetites: the bike messenger who feels that "helmets are cumbersome," and artist who eschews bicycling completely. Maintenance and prevention are expensive or inconvenient, so the Invincible's focus is on the severe or catastrophic cases.

Are there corporations out there that believe themselves to be "invincible"? Is this the sort of attitude that prevents real security from becoming embedded into a corporate culture? No doubt possible. Also likely is the false sense of security associated with "compliance" as a risk mitigation technique. SOX is like a bicyclist's helmet ("too cumbersome"). PCI is like brushing your teeth every day. No one condemns daily brushing, but it won't help when you get a kick in the teeth.

(I recall my own period of "invincibility." Working without insurance as a deckhand on a towboat on the Ohio, Tennessee and Cumberland Rivers, I didn't see the dangers of hopping from barge to coal soot covered barge, lugging 90-lb ratchets and wire, all risk mitigated by my Redwings and a bump hat. Not until a near death experience while epoxying the inside of a fresh water tank did I think "Hey, what if I get crushed? What if my brain is actually damaged, and no one will ever get my jokes?" Then I sought less perilous employment. With a health and dental plan. So I found my way to the Guild of the Green Eyeshade.)

Men's 8-inch work boot with metatarsal guard courtesy Redwing.

Wednesday, April 4, 2007

One Man's Trash

The righteous fury of Texas Attorney Abbott was last month stymied by an elite cadre of county clerk ninjas who conjured a shambling legislative behemoth to crush his valiant effort to protect the privacy of Texans.
Abbott screwed his courage to the sticking place, and was not to be denied.

Laying down the latex gauntlet, and taking a dog-eared chapter from a 1987 hacker's playbook, he strikes a meaty vein of SSN laden paydirt in the dumpsters of Radio Shack, a beauty school and a talent agency.

Having done of bit of professional dumpster diving myself, I laud the AG's efforts. Nothing increases a man's disposal awareness more than seeing a dude in a suit digging through garbage.

No doubt the most disturbing part of the story is the sample recovered receipt displayed on the AG's website. I mean, $99.97 for a 2 GB portable drive? With $17.99 for a 12 month warranty? Now that's obscene.

Illustration courtesy Speas.