Security decision making
Dear security friends,
I'mplanning for a long time to work on a paper/presentation about securitydecision making. I was planning to talk with different securityprofessionals to hear about how their decision making process works andwhere it can be improved. But I've just realized that Google Wave isthe perfect tool for a collaboration job like that. I will, of course,provide the proper credits to anyone who contributes. :-)
Well, some classification and and taxonomy first. I think we could try to break decision making in:
-Scope: it can be from a single application to a whole organization. I'mquite sure that the process changes from one to another, so it makessense to consider it.
- Type of decision: what is the goal of the decision? The most common are:
- Trade-offs: the famous control x productivity impact
- Cost: should I take the risk or pay to reduce/eliminate it
- Control Prioritization: among all those security controls, which one should I implement first?
- Risk prioritization: among all those risks, which one should I tackle first?
-Security optimization: considering all the resources available, how todeploy them in a way to maximize security (minimize risk)
-Risk measurement: going through the vanilla process of measuringexposure, impact, threat level, likelihood and getting the resultingrisk.
- Quantitative: ROSI
- Benchmarking: comparing what others are doing under similar situations
- Regulatory/compliance: doing because it is required
-Metric based: this triggers the whole discussion about securitymetrics, what should be measured, how and what are the desirable values.
-There are several issues with the risk assessment methodologies. Idon't like the feeling of "educated guess" from the qualitativeassessments and there are a lot of conceptual failures on theROSI side.Also, the data available is not good enough to generate good impact andlikelihood numbers. Some researchers believe we should generate newmodels to avoid these pitfalls
-Prescriptive standards: apply more prescriptive regulations, such asPCI DSS, to reduce the "interpretation" issues from more flexibleframeworks and methodologies.
So,I'll add people that I think will bring value to this discussion.Please feel free to expand the wave. Let's see where it will take us.
(I'malso don't know how to invite some people that I know is testing Wavebut I'm not seeing in my contact list...how do I do it?)
Some interesting references to consider/read about this subject: