secure360 on risk
DESCRIPTION
Jay Jacobs & I co presented on Risk and Risk Management at the wonderful Secure360 conference this springTRANSCRIPT
![Page 1: Secure360 on Risk](https://reader033.vdocuments.us/reader033/viewer/2022042815/5575ca67d8b42a312a8b513d/html5/thumbnails/1.jpg)
Challenging Conventional Wisdom: A New Approach to Risk ManagementAlex HuttonJay Jacobs
![Page 2: Secure360 on Risk](https://reader033.vdocuments.us/reader033/viewer/2022042815/5575ca67d8b42a312a8b513d/html5/thumbnails/2.jpg)
What’s this about?
We think you’re getting bad information!
We think our industry can do better!
We think this will make us “more secure!”
![Page 3: Secure360 on Risk](https://reader033.vdocuments.us/reader033/viewer/2022042815/5575ca67d8b42a312a8b513d/html5/thumbnails/3.jpg)
Security is now so essential a concern that we can no longer use adjectives and adverbs but must instead use numbers. – Dan Geer
![Page 4: Secure360 on Risk](https://reader033.vdocuments.us/reader033/viewer/2022042815/5575ca67d8b42a312a8b513d/html5/thumbnails/4.jpg)
How are you making decisions now?
![Page 5: Secure360 on Risk](https://reader033.vdocuments.us/reader033/viewer/2022042815/5575ca67d8b42a312a8b513d/html5/thumbnails/5.jpg)
What’s the quality of those decisions?
![Page 6: Secure360 on Risk](https://reader033.vdocuments.us/reader033/viewer/2022042815/5575ca67d8b42a312a8b513d/html5/thumbnails/6.jpg)
Effective Decisions need quality data, models, execution
![Page 7: Secure360 on Risk](https://reader033.vdocuments.us/reader033/viewer/2022042815/5575ca67d8b42a312a8b513d/html5/thumbnails/7.jpg)
Our vendors and standards aren’t
helping us:-(
![Page 8: Secure360 on Risk](https://reader033.vdocuments.us/reader033/viewer/2022042815/5575ca67d8b42a312a8b513d/html5/thumbnails/8.jpg)
hey, why are you getting lousy information from standards and vendors?
![Page 9: Secure360 on Risk](https://reader033.vdocuments.us/reader033/viewer/2022042815/5575ca67d8b42a312a8b513d/html5/thumbnails/9.jpg)
hey, why are you getting lousy information from standards and vendors?
The science of information security & risk management is hard
1. Pseudo Science & Proto Science
2. Models & Data
3. Complexity
![Page 10: Secure360 on Risk](https://reader033.vdocuments.us/reader033/viewer/2022042815/5575ca67d8b42a312a8b513d/html5/thumbnails/10.jpg)
hey, why are you getting lousy information from standards and vendors?
The science of information security & risk management is hard
1. Pseudo Science & Proto Science
2. Models & Data
3. Complexity
![Page 11: Secure360 on Risk](https://reader033.vdocuments.us/reader033/viewer/2022042815/5575ca67d8b42a312a8b513d/html5/thumbnails/11.jpg)
State of the Industry (a)(Thomas Kuhn is way smarter than we are)
proto-science
somewhat random fact gathering (mainly of readily accessible data)
a“morass”of interesting, trivial, irrelevant observations
a variety of theories (that are spawned from what he calls philosophical speculation) that provide little guidance to data gathering
![Page 12: Secure360 on Risk](https://reader033.vdocuments.us/reader033/viewer/2022042815/5575ca67d8b42a312a8b513d/html5/thumbnails/12.jpg)
State of the Industry (b)At our present skill in measurement of security, we generally have an ordinal scale at best, not an interval scale and certainly not a ratio scale. In plain terms, this means we can say whether X is better than Y but how much better and compared to what is not so easy. – More from Dan Geer
![Page 13: Secure360 on Risk](https://reader033.vdocuments.us/reader033/viewer/2022042815/5575ca67d8b42a312a8b513d/html5/thumbnails/13.jpg)
If Science is based on inductive observations to derive meaning and understanding and measurement on quality (ratio) scales, how about InfoSec?
Where do we sit in the family of sciences?
![Page 14: Secure360 on Risk](https://reader033.vdocuments.us/reader033/viewer/2022042815/5575ca67d8b42a312a8b513d/html5/thumbnails/14.jpg)
We’re the Crazy Uncle with tinfoil hat antennae used to talk to the space aliens of Regulus V, has 47 cats, and who too frequently (but benignly) forgets to wear pants.
![Page 15: Secure360 on Risk](https://reader033.vdocuments.us/reader033/viewer/2022042815/5575ca67d8b42a312a8b513d/html5/thumbnails/15.jpg)
Take, for example, CVSS
![Page 16: Secure360 on Risk](https://reader033.vdocuments.us/reader033/viewer/2022042815/5575ca67d8b42a312a8b513d/html5/thumbnails/16.jpg)
“the Base Equation multiplies Impact by 0.6 and Exploitability by 0.4”
![Page 17: Secure360 on Risk](https://reader033.vdocuments.us/reader033/viewer/2022042815/5575ca67d8b42a312a8b513d/html5/thumbnails/17.jpg)
= ShinyJet Engine X Peanut Butter
![Page 18: Secure360 on Risk](https://reader033.vdocuments.us/reader033/viewer/2022042815/5575ca67d8b42a312a8b513d/html5/thumbnails/18.jpg)
adding onewilly-nilly doesn’t suddenly transformordinal rankings into ratio values.
decimals aren’t magic.
![Page 19: Secure360 on Risk](https://reader033.vdocuments.us/reader033/viewer/2022042815/5575ca67d8b42a312a8b513d/html5/thumbnails/19.jpg)
hey, why are you getting lousy information from standards and vendors?
The science of information security & risk management is hard
1. Pseudo Science & Proto Science
2. Models & Data
3. Complexity
![Page 20: Secure360 on Risk](https://reader033.vdocuments.us/reader033/viewer/2022042815/5575ca67d8b42a312a8b513d/html5/thumbnails/20.jpg)
20
Data must exist in order to feed our models...
... but creating the right models are dependent on understanding what data is useful!
![Page 21: Secure360 on Risk](https://reader033.vdocuments.us/reader033/viewer/2022042815/5575ca67d8b42a312a8b513d/html5/thumbnails/21.jpg)
Data, Models, Execution: Garbage in-Garbage Out
![Page 22: Secure360 on Risk](https://reader033.vdocuments.us/reader033/viewer/2022042815/5575ca67d8b42a312a8b513d/html5/thumbnails/22.jpg)
Data, Models, Execution: Treat Data Poorly
![Page 23: Secure360 on Risk](https://reader033.vdocuments.us/reader033/viewer/2022042815/5575ca67d8b42a312a8b513d/html5/thumbnails/23.jpg)
Data, Models, Execution: Adapting to Situations
![Page 24: Secure360 on Risk](https://reader033.vdocuments.us/reader033/viewer/2022042815/5575ca67d8b42a312a8b513d/html5/thumbnails/24.jpg)
hey, why are you getting lousy information from standards and vendors?
The science of information security & risk management is hard
1. Pseudo Science & Proto Science
2. Models & Data
3. Complexity
![Page 25: Secure360 on Risk](https://reader033.vdocuments.us/reader033/viewer/2022042815/5575ca67d8b42a312a8b513d/html5/thumbnails/25.jpg)
These “risk” statements you’re making...
I don’t think you’re doing it right.
- (Chillin’ Friederich Hayek)
![Page 26: Secure360 on Risk](https://reader033.vdocuments.us/reader033/viewer/2022042815/5575ca67d8b42a312a8b513d/html5/thumbnails/26.jpg)
![Page 27: Secure360 on Risk](https://reader033.vdocuments.us/reader033/viewer/2022042815/5575ca67d8b42a312a8b513d/html5/thumbnails/27.jpg)
“Given Newton's laws and the current position
and velocity of every particle in the universe,
it was possible, in principle, to predict
everything for all time.”
-- Simon-Pierre LaPlace, 1814
A Comforting Thought...
![Page 28: Secure360 on Risk](https://reader033.vdocuments.us/reader033/viewer/2022042815/5575ca67d8b42a312a8b513d/html5/thumbnails/28.jpg)
8
4 4
2 2 2 2
Reductionism
![Page 29: Secure360 on Risk](https://reader033.vdocuments.us/reader033/viewer/2022042815/5575ca67d8b42a312a8b513d/html5/thumbnails/29.jpg)
8
4 4
2 2 2 2
Functionalism
?
?
![Page 30: Secure360 on Risk](https://reader033.vdocuments.us/reader033/viewer/2022042815/5575ca67d8b42a312a8b513d/html5/thumbnails/30.jpg)
Asset
Comp. Comp.
Sub. Sub.
Attribute
Attribute
Attribute
Attribute
Reductionism
Functionalism
![Page 31: Secure360 on Risk](https://reader033.vdocuments.us/reader033/viewer/2022042815/5575ca67d8b42a312a8b513d/html5/thumbnails/31.jpg)
Awww man......even if it were the case that the natural laws had no longer any secret for us, we could still only know the initial situation approximately. ... small differences in the initial conditions produce very great ones in the final phenomenon. A small error in the former will produce an enormous error in the latter. Prediction becomes impossible...
-- Henri Poincare, 1887
![Page 32: Secure360 on Risk](https://reader033.vdocuments.us/reader033/viewer/2022042815/5575ca67d8b42a312a8b513d/html5/thumbnails/32.jpg)
13
5 6
2 2 2 2
Holism
Complexity non-linear
Systems Approach
![Page 33: Secure360 on Risk](https://reader033.vdocuments.us/reader033/viewer/2022042815/5575ca67d8b42a312a8b513d/html5/thumbnails/33.jpg)
Complex systems contain changing mixtures of failures latent within them.
The complexity of these systems makes it impossible for them to run without multiple flaws being present.
... individually insufficient to cause failure
...failures change constantly because of changing technology, work organization, and efforts to eradicate failures.
Complex systems run in degraded mode.
“How Complex Systems Fail” - Richard Cook
![Page 34: Secure360 on Risk](https://reader033.vdocuments.us/reader033/viewer/2022042815/5575ca67d8b42a312a8b513d/html5/thumbnails/34.jpg)
Security is a characteristic of systems and not of their components
Security is an emergent property of systems; it does not reside in a person, device or department of an organization or system.
... it is not a feature that is separate from the other components of the system.
...the state of Security in any system isalways dynamic
“How Complex Systems Fail” - Richard Cook
![Page 35: Secure360 on Risk](https://reader033.vdocuments.us/reader033/viewer/2022042815/5575ca67d8b42a312a8b513d/html5/thumbnails/35.jpg)
We may want to rethink our approach.
![Page 36: Secure360 on Risk](https://reader033.vdocuments.us/reader033/viewer/2022042815/5575ca67d8b42a312a8b513d/html5/thumbnails/36.jpg)
36
Overcoming the problem
• Medicine uses an “Evidence-Based” approach to solving problems in the complex system that is the body.
• Dr. Peter Tippett (MD, PhD) applies Evidence-Based principles to Information Security.
![Page 37: Secure360 on Risk](https://reader033.vdocuments.us/reader033/viewer/2022042815/5575ca67d8b42a312a8b513d/html5/thumbnails/37.jpg)
threat landscape
asset landscape
impact landscape
controls landscape
risk
Suggested context:Capability to manage(skills, resources, decision quality…)
What to study: Sources of Knowledge
![Page 38: Secure360 on Risk](https://reader033.vdocuments.us/reader033/viewer/2022042815/5575ca67d8b42a312a8b513d/html5/thumbnails/38.jpg)
How: Data Quality in Evidence-Based Practice
Evidence level D Evidence level C Evidence level B Evidence level A
Evidence level A“Expert opinion without explicit cri8cal appraisal, or based on physiology, bench research or first principles.”
Case-‐series study or extrapola8ons from level B studies.
Consistent Retrospec8ve Cohort, Exploratory Cohort, Ecological Study, Outcomes Research, case-‐control study; or extrapola8ons from level A studies.
Consistent Randomized Controlled Clinical Trial, cohort study, all or none, clinical decision rule validated in different popula8ons.
beNer
![Page 39: Secure360 on Risk](https://reader033.vdocuments.us/reader033/viewer/2022042815/5575ca67d8b42a312a8b513d/html5/thumbnails/39.jpg)
Evidence-Based Risk ManagementState of Nature State of Knowledge State of Wisdom
Evidence level D Lists Feeling like we’ve done something
Evidence level C Simple derived values with ad-hoc modeling
Outcomes with ad-hoc deductive selections
Evidence level B Formal Modeling Decision making constructs
Evidence level A
![Page 40: Secure360 on Risk](https://reader033.vdocuments.us/reader033/viewer/2022042815/5575ca67d8b42a312a8b513d/html5/thumbnails/40.jpg)
State of Nature State of Knowledge State of Wisdom
Evidence level D Lists Feeling like we’ve done something
Evidence level C Simple derived values with ad-hoc modeling
Outcomes with ad-hoc deductive selections
Evidence level B Formal Modeling Decision making constructs
Evidence level A
Evidence-Based Risk Management
![Page 41: Secure360 on Risk](https://reader033.vdocuments.us/reader033/viewer/2022042815/5575ca67d8b42a312a8b513d/html5/thumbnails/41.jpg)
State of Nature State of Knowledge State of Wisdom
Evidence level D Lists Feeling like we’ve done something
Evidence level C Simple derived values with ad-hoc modeling
Outcomes with ad-hoc deductive selections
Evidence level B Formal Modeling Decision making constructs
Evidence level A
You are here
Evidence-Based Risk Management
![Page 42: Secure360 on Risk](https://reader033.vdocuments.us/reader033/viewer/2022042815/5575ca67d8b42a312a8b513d/html5/thumbnails/42.jpg)
So How Do We Change?
DataModels…
Standards
START WITH THE
OUTCOMES!
![Page 43: Secure360 on Risk](https://reader033.vdocuments.us/reader033/viewer/2022042815/5575ca67d8b42a312a8b513d/html5/thumbnails/43.jpg)
Two True Security Outcomes:
Success and Failure
![Page 44: Secure360 on Risk](https://reader033.vdocuments.us/reader033/viewer/2022042815/5575ca67d8b42a312a8b513d/html5/thumbnails/44.jpg)
Knowing Success in InfoSec is hard
- Known Success (anti-Threat ops)- Unknown success (controls work
without us knowing)- Dumb luck (We’re not targeted, but our
neighbor is)
![Page 45: Secure360 on Risk](https://reader033.vdocuments.us/reader033/viewer/2022042815/5575ca67d8b42a312a8b513d/html5/thumbnails/45.jpg)
Getting the outcomes:Success
![Page 46: Secure360 on Risk](https://reader033.vdocuments.us/reader033/viewer/2022042815/5575ca67d8b42a312a8b513d/html5/thumbnails/46.jpg)
Getting the outcomes:Success
stronger processes result in fewer availability incidents
![Page 47: Secure360 on Risk](https://reader033.vdocuments.us/reader033/viewer/2022042815/5575ca67d8b42a312a8b513d/html5/thumbnails/47.jpg)
Getting the outcomes- Successes:
- Existences of processes- Operational (performance) metrics- Maturity ratings
WHAT WE WANT ARE PATTERNS!
![Page 48: Secure360 on Risk](https://reader033.vdocuments.us/reader033/viewer/2022042815/5575ca67d8b42a312a8b513d/html5/thumbnails/48.jpg)
Knowing Failure is (somewhat) easier
![Page 49: Secure360 on Risk](https://reader033.vdocuments.us/reader033/viewer/2022042815/5575ca67d8b42a312a8b513d/html5/thumbnails/49.jpg)
Getting The Outcomes: Failures
VERIS | Verizon Enterprise Risk and Information Sharing
VERIS takes the incident narrative and creates metrics (risk determinants)
![Page 50: Secure360 on Risk](https://reader033.vdocuments.us/reader033/viewer/2022042815/5575ca67d8b42a312a8b513d/html5/thumbnails/50.jpg)
A free (as in beer*) framework created for metrics, modeling, and compara8ve analy8cs.
A security incident (or threat scenario) is modeled as a series of events. Every event is comprised of the following 4 A’s:
Agent: Whose acLons affected the asset
AcLon: What acLons affected the asset
Asset: Which assets were affected
AOribute: How the asset was affected
VERIS | Verizon Enterprise Risk and Information Sharing
![Page 51: Secure360 on Risk](https://reader033.vdocuments.us/reader033/viewer/2022042815/5575ca67d8b42a312a8b513d/html5/thumbnails/51.jpg)
INCIDENT REPORT“An attacker from a Russian IP address
initiated multiple SQL injection attacks against a public-facing web application. They were able to introduce keyloggers and network sniffers onto internal systems. The keyloggers captured several domain credentials which the attackers used to further infiltrate the corporate network. The packet sniffers captured data for several months which the attacker periodically returned to collect…”
VERIS takes this :
and…
![Page 52: Secure360 on Risk](https://reader033.vdocuments.us/reader033/viewer/2022042815/5575ca67d8b42a312a8b513d/html5/thumbnails/52.jpg)
…and translates it to this…Event 1Agent: External (Org crime)Action: Hacking (SQLi)Asset: Server (Web server, Database)Attribute: IntegrityEvent 2Agent: External (Org crime)Action: Malware (Keylogger)Asset: Server (Web server)Attribute: ConfidentialityEvent 3Agent: External (Org crime)Action: Hacking (Use of stolen creds)Asset: Server, Network (multiple)Attribute: Confidentiality, IntegrityEvent 4…
1 2 3 4> > > >
![Page 53: Secure360 on Risk](https://reader033.vdocuments.us/reader033/viewer/2022042815/5575ca67d8b42a312a8b513d/html5/thumbnails/53.jpg)
![Page 54: Secure360 on Risk](https://reader033.vdocuments.us/reader033/viewer/2022042815/5575ca67d8b42a312a8b513d/html5/thumbnails/54.jpg)
patterns!
![Page 55: Secure360 on Risk](https://reader033.vdocuments.us/reader033/viewer/2022042815/5575ca67d8b42a312a8b513d/html5/thumbnails/55.jpg)
√∫∑
Framework
Models Data=
∩
![Page 56: Secure360 on Risk](https://reader033.vdocuments.us/reader033/viewer/2022042815/5575ca67d8b42a312a8b513d/html5/thumbnails/56.jpg)
Framework
Data
√∫∑Models=
∩
Framework
Data
Data √∫∑Models=
∩Process
ProcessProcess
Process
![Page 57: Secure360 on Risk](https://reader033.vdocuments.us/reader033/viewer/2022042815/5575ca67d8b42a312a8b513d/html5/thumbnails/57.jpg)
Using your metrics program
- Identify & Measure your processes- Identify & Measure your failures- Get into loss factors (ABC)- Share data- Support data sharing efforts
![Page 58: Secure360 on Risk](https://reader033.vdocuments.us/reader033/viewer/2022042815/5575ca67d8b42a312a8b513d/html5/thumbnails/58.jpg)
Bring it Home: your metrics program
![Page 59: Secure360 on Risk](https://reader033.vdocuments.us/reader033/viewer/2022042815/5575ca67d8b42a312a8b513d/html5/thumbnails/59.jpg)
Bring it Home: your metrics programor
![Page 60: Secure360 on Risk](https://reader033.vdocuments.us/reader033/viewer/2022042815/5575ca67d8b42a312a8b513d/html5/thumbnails/60.jpg)
Bring it Home: your metrics programorThe Amazing Technicolor Scorecard
![Page 61: Secure360 on Risk](https://reader033.vdocuments.us/reader033/viewer/2022042815/5575ca67d8b42a312a8b513d/html5/thumbnails/61.jpg)
Priority #1: no more surrogate data
![Page 62: Secure360 on Risk](https://reader033.vdocuments.us/reader033/viewer/2022042815/5575ca67d8b42a312a8b513d/html5/thumbnails/62.jpg)
Priority #1: (meaning) no more risk analysts*
![Page 63: Secure360 on Risk](https://reader033.vdocuments.us/reader033/viewer/2022042815/5575ca67d8b42a312a8b513d/html5/thumbnails/63.jpg)
Priority #1: (really) create data analysts
![Page 64: Secure360 on Risk](https://reader033.vdocuments.us/reader033/viewer/2022042815/5575ca67d8b42a312a8b513d/html5/thumbnails/64.jpg)
Data analysts need to focus on quality data, models, execution
![Page 65: Secure360 on Risk](https://reader033.vdocuments.us/reader033/viewer/2022042815/5575ca67d8b42a312a8b513d/html5/thumbnails/65.jpg)
State of Nature State of Knowledge State of Wisdom
Evidence level D Lists Feeling like we’ve done something
Evidence level C Simple derived values with ad-hoc modeling
Outcomes with ad-hoc deductive selections
Evidence level B Formal Modeling Decision making constructs
Evidence level A
Evidence-Based Risk Management
![Page 66: Secure360 on Risk](https://reader033.vdocuments.us/reader033/viewer/2022042815/5575ca67d8b42a312a8b513d/html5/thumbnails/66.jpg)
threat landscape
risk
A balanced scorecard of sorts
asset landscape
impact landscape
controls landscape
![Page 67: Secure360 on Risk](https://reader033.vdocuments.us/reader033/viewer/2022042815/5575ca67d8b42a312a8b513d/html5/thumbnails/67.jpg)
Where to look? The Two True Security Outcomes:
Success and Failure
![Page 68: Secure360 on Risk](https://reader033.vdocuments.us/reader033/viewer/2022042815/5575ca67d8b42a312a8b513d/html5/thumbnails/68.jpg)
Failures:threat landscape
asset landscape
impact landscape
controls landscape
incidents, red/blue team
vulnerabilities, misconfigurations, unknowns...
gaps in coverage, known lack of effectiveness, known underskilled/utilized...
Cost-Based Accounting around incidents, cost of operations, etc...
![Page 69: Secure360 on Risk](https://reader033.vdocuments.us/reader033/viewer/2022042815/5575ca67d8b42a312a8b513d/html5/thumbnails/69.jpg)
Successes:threat landscape
asset landscape
impact landscape
controls landscape
intel, red/blue teams, SIEM
vulnerabilities, misconfigurations, unknowns, skills, training
positive threat outcomes (tOps), skills, training
ROI? ROSI? (ducks to avoid tomatoes)
![Page 70: Secure360 on Risk](https://reader033.vdocuments.us/reader033/viewer/2022042815/5575ca67d8b42a312a8b513d/html5/thumbnails/70.jpg)
What to look? Two types of data to find:
Focus initially on Visibility, then look to find Variability.
![Page 71: Secure360 on Risk](https://reader033.vdocuments.us/reader033/viewer/2022042815/5575ca67d8b42a312a8b513d/html5/thumbnails/71.jpg)
How to look? The GQM Approach:
For each “where” for each “what” use the following “how”
![Page 72: Secure360 on Risk](https://reader033.vdocuments.us/reader033/viewer/2022042815/5575ca67d8b42a312a8b513d/html5/thumbnails/72.jpg)
How to look? The GQM Approach:
For each “where” for each “what”, start by using GQM as “how.”
![Page 73: Secure360 on Risk](https://reader033.vdocuments.us/reader033/viewer/2022042815/5575ca67d8b42a312a8b513d/html5/thumbnails/73.jpg)
Goal, Question, Metric
Conceptual level (goal) goals defined for an object for a variety of reasons, with respect to various models, from various points of view.
Operational level (question)
questions are used to define models of the object of study and then focuses on that object to characterize the assessment or achievement of a specific goal.
Quantitative level (metric)
metrics, based on the models, is associated with every question in order to answer it in a measurable way.
Victor Basili
![Page 74: Secure360 on Risk](https://reader033.vdocuments.us/reader033/viewer/2022042815/5575ca67d8b42a312a8b513d/html5/thumbnails/74.jpg)
The Book You Should Buy(Jay & Alex aren’t getting a kickback, in case you’re wondering)
![Page 75: Secure360 on Risk](https://reader033.vdocuments.us/reader033/viewer/2022042815/5575ca67d8b42a312a8b513d/html5/thumbnails/75.jpg)
GQM for Fun & Profit
Goals establishwhat we want to accomplish.
Questions help us understand how to meet the goal. They address context.
Metrics identify the measurements that are needed to answer the questions.
Goal 1 Goal 2
Q1 Q2 Q3 Q4 Q5
M1 M2 M3 M4 M5 M6 M7
![Page 76: Secure360 on Risk](https://reader033.vdocuments.us/reader033/viewer/2022042815/5575ca67d8b42a312a8b513d/html5/thumbnails/76.jpg)
GQM for Fun & Profit
Execution
Models
Data
Goal 1 Goal 2
Q1 Q2 Q3 Q4 Q5
M1 M2 M3 M4 M5 M6 M7
![Page 77: Secure360 on Risk](https://reader033.vdocuments.us/reader033/viewer/2022042815/5575ca67d8b42a312a8b513d/html5/thumbnails/77.jpg)
data about defined success and failures
models of assets, controls, threats contributing to impact
execution by data analysts...Feeding standards, audits and governance
![Page 78: Secure360 on Risk](https://reader033.vdocuments.us/reader033/viewer/2022042815/5575ca67d8b42a312a8b513d/html5/thumbnails/78.jpg)
Using your metrics program
- Identify & Measure your processes- Identify & Measure your failures- Get into loss factors (ABC)- Share data- Support data sharing efforts
![Page 79: Secure360 on Risk](https://reader033.vdocuments.us/reader033/viewer/2022042815/5575ca67d8b42a312a8b513d/html5/thumbnails/79.jpg)
Using your metrics program
- Identify & Measure your processes- Identify & Measure your failures- Get into loss factors (ABC)- Share data- Support data sharing efforts
![Page 80: Secure360 on Risk](https://reader033.vdocuments.us/reader033/viewer/2022042815/5575ca67d8b42a312a8b513d/html5/thumbnails/80.jpg)
Security is now so essential a concern that we can no longer use adjectives and adverbs but must instead use numbers. – Dan Geer
![Page 82: Secure360 on Risk](https://reader033.vdocuments.us/reader033/viewer/2022042815/5575ca67d8b42a312a8b513d/html5/thumbnails/82.jpg)
threat landscape
asset landscape
impact landscape
controls landscape
risk
Prioritize
De-prioritize
Approaching the system as a system
![Page 83: Secure360 on Risk](https://reader033.vdocuments.us/reader033/viewer/2022042815/5575ca67d8b42a312a8b513d/html5/thumbnails/83.jpg)
threat landscape
asset landscape
impact landscape
controls landscape
risk
Suggested context:Capability to manage(skills, resources, decision quality…)
![Page 84: Secure360 on Risk](https://reader033.vdocuments.us/reader033/viewer/2022042815/5575ca67d8b42a312a8b513d/html5/thumbnails/84.jpg)
Data Sharing:
- Sources:- Qualify this Intel according to
framework- Treat with appropriate data quality
listings (let models shape the certainty)
![Page 85: Secure360 on Risk](https://reader033.vdocuments.us/reader033/viewer/2022042815/5575ca67d8b42a312a8b513d/html5/thumbnails/85.jpg)
Get Into Accounting
- Use existing models that take advantage of accounting concepts (ABC) to Talk to the LOBs
![Page 86: Secure360 on Risk](https://reader033.vdocuments.us/reader033/viewer/2022042815/5575ca67d8b42a312a8b513d/html5/thumbnails/86.jpg)
Using your metrics program
- Identify & Measure your processes- Identify & Measure your failures- Share data- Support data sharing efforts- Get into loss factors (ABC)
![Page 87: Secure360 on Risk](https://reader033.vdocuments.us/reader033/viewer/2022042815/5575ca67d8b42a312a8b513d/html5/thumbnails/87.jpg)
Challenging Conventional Wisdom
Conventional Wisdom may not be wrong- Question current practices - Seek Evidence and Feedback