Risk paralysis toystore dumps, unicc card
One of the zombie threads on CISSPforum (i.e. one of those discussions that seems to die off … but then a few weeks later comes back from the dead to haunt us all over again) is about quantitative versus qualitative risk analysis. Members of CISSPforum typically fall into one or other camp and the discussions, while interesting and passionate, always seem to generate more heat than light in a security geek’s version of religious war. While fans of quantitative methods point out the need for data to support assertions about information security risks with “facts”, the qualitatives point out the lack of data and various other reasons to rely on “experience” or “gut feel”.
… Meanwhile, Rome is burning …
A fascinating post on the Israeli Software blog draws a parallel with risk analysis methods used by fighter pilots. In a dogfight, pilots are inundated with an avalanche of real-time safety- and mission-critical information coming at them from all manner of systems and senses. Time is very obviously ‘of the essence’ so successful fighter pilots need lightning-quick reactions, but more than that they need to react appropriately. Blogger Danny Lieberman outlines the OODA loop , a risk analysis process originally described by military strategist John Boyd. It’s a cycle with four steps:
Observe –> Orient –> Decide –> Act –> rinse and repeat
Harry Hillaker (chief designer of the F-16) said of the OODA
theory, “Time is the dominant parameter. The pilot who goes through the
OODA cycle in the shortest time prevails because his opponent responds
to actions that have already changed.”
Anyone familiar with ISO/IEC 27001 will probably see similarities with Deming’s PDCA (Plan, Do, Check, Act) cycle. Whatever the precise nature of the steps, cycle time is important in any fast-moving situation. It’s no use ‘fighting the last war’. In many situations, it’s better to make assumptions and move ahead quickly than to procrastinate, provided that the cycle repeats, in other words we need to review our actions in the light of experience and make adjustments where necessary.
ISO/IEC 27005 is a draft information security risk management standard revising the Management of Information and Communications Technology Security (MICTS) standards
ISO/IEC TR 13335-3:1998 and ISO/IEC TR 13335-4:2000. The scope
of ISO/IEC 27005 is to: “provide guidelines for information security
risk management. This International Standard supports the general
concepts specified in ISO/IEC 27001 and is designed to assist the
satisfactory implementation of information security based on a risk
management approach.” Like ISO/IEC 27001 and ‘27002, ‘27005 avoids the issue of whether to recommend quantitative or qualitative risk analysis methods, instead advising organizations to use whichever methods suit them best for the particular situation at hand – note “methods” with the implication that, for example, high level broad scope risk assessment might be supplemented by detailed risk analysis using different methods. If the organization already has well-developed methods for assessing and reacting to risks in other spheres (such as financial risks, legal/compliance risks, health and safety risks etc.), it may even make sense for management to adapt those methods to information security risks rather than be forced into using a specific but unfamiliar method.
Danny sums up his blog entry with a call-to-arms:
“It is clear that the root cause of the increasing spiral of security
breaches is that the attacker community moves much faster than business
Does your organization cycle rapidly, assessing current information security risks, implementing control improvements where necessary and re-assessing risks, or is management locked in the analysis phase, paralyzed like a bunny caught in the headlights? Even worse, is the fruitless discussion about which risk management method is best sapping your strength to analyze anything?
Gary Hinson CISSPPassionate about security awareness www.NoticeBored.com Creative awareness materials www.ISO27001security.com ISO/IEC 27000 standards
toystore dumps unicc card