1 / 48

Security Risk Metrics or How I Learned to Love Fear and Uncertainty 11/22/11

Security Risk Metrics or How I Learned to Love Fear and Uncertainty 11/22/11. Carl S. Young cyoung@strozfriedberg.com (212) 766-6004 . Security Risk Management: Intuition Versus Analytics. Failed Intuition or Miscalculation?. The Fundamentals: Threats and Risk. Threats!. Threats?.

valentine
Download Presentation

Security Risk Metrics or How I Learned to Love Fear and Uncertainty 11/22/11

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Security Risk Metricsor How I Learned to Love Fear and Uncertainty11/22/11 Carl S. Young cyoung@strozfriedberg.com (212) 766-6004

  2. Security Risk Management:Intuition Versus Analytics

  3. Failed Intuition or Miscalculation?

  4. The Fundamentals:Threats and Risk

  5. Threats!

  6. Threats?

  7. Threats • Threats cause harm or loss • Threats make you “worse off” • Threats are contextual…what does THAT mean?

  8. Risk • Risk is an inherent property of threats • Risk is what makes a threat threatening • If there is no risk then there is no threat (and vice versa) • There is also no need for security consultants!

  9. The Components of Risk Three components of risk: 1) impact (importance) 2) likelihood (probability or potential) 3) vulnerability (exposure to loss/harm)

  10. The Fundamental Expression of Risk Risk (threat) = Likelihood x Vulnerability x Impact

  11. The Vulnerability Component of Risk:Understanding the Threat

  12. The Vulnerability Component of Risk • Recall threats are contextual • Why? Component of risk can vary with each scenario • Must be precise in characterizing the threat and associated risk • Example: “Terrorism”. Timothy McVeigh (Oklahoma City bomber) versus Charles Whitman (University of Texas sniper)? • What about risk mitigation?

  13. Example: The Threat of Electrocution from Lightning versus Electrocution Scenario 1 Electrocution Scenario 2

  14. Lightning and the Vulnerability Component of Risk • The vulnerability component of risk for each scenario is different • Scenario 1: your body acts as an electrical conductor between the cloud and the earth…you’ve got a problem • Scenario 2: the charges distribute themselves around the car’s metal surface…you’re probably ok

  15. The Likelihood Component of Risk:Predicting the Future

  16. Likelihood Component of Risk:Tools of the Trade • Some security incidents do occur at random 1) Nuclear disintegrations of radioisotopes 2) Security equipment failures  Certain threat scenarios are relatively stable over time • Standard statistical distribution apply (e.g., Poisson, Normal, Binomial) • Specify mean and uncertainty in the mean (i.e., standard deviation)

  17. Likelihood or Potential? • Is it ok to estimate the likelihood of future incidents based on previous incidents? • Yes, if conditions remain relatively stable* • OR the incidents occur at random • Otherwise it is more precise to speak of ‘potential’ for incident occurrence * The rate of incident occurrence >> change in influencing conditions.

  18. What is Security Risk Management Really All About? • Educated trade-offs between the components of risk for each impactful threat • Such trade-offs form the basis for a security risk management strategy • Risk component trade-offs are what security directors are paid to do!

  19. Security Director Fantasy Job Advertisement • A US-based international corporation is • seeking qualified candidates to apply • for the position of Global Security Director • with responsibilities and compensation as follows: • Make educated trade-offs regarding the components of risk for each impactful security threat • 2) Design and implement culturally acceptable and cost-effective security solutions based on the aforementioned trade-offs (i.e., develop a security risk management strategy) • 3) Effectively communicate security risk to all levels of the organization • 4) Salary: ~ $1M/per annum* • * Welcome to MY fantasy

  20. It’s Not So Easy: The Security Risk Management Conundrum • Security risk management is inherently defensive • Does a low number of security incidents mean there is an effective security strategy in place? • Perhaps you’ve just been lucky or the bad guys are indifferent

  21. Effective Risk Management?

  22. And Security Risk Management is a Zero Sum Game…Finite Resources Property Theft Terrorism Information Theft/Insiders Physical Assaults

  23. Measuring The Vulnerability Component of Risk:Coping with Fear

  24. Security Risk Measurements • How can you measure the risk associated with security threats if there is a low number of incidents? • Measure risk indirectly by measuring a risk factor rather than instances of the threat itself

  25. Identifying Risk Factors • Risk factors are characteristics or properties of a threat that enhance a component of risk • Threat = tropical diseases. Risk factor = travel to tropical climates • Threat = shark attacks. Risk factor = swimming in the ocean • Threat = leukemia. Risk factor = exposure to radioactive material • Threat = car accident. Risk factor = teenage drivers

  26. Physical Threats • Physical quantities (e.g., vapor concentration, overpressure, signal intensity) associated with physical threats • These quantities often scale with parameters of distance or time • Can estimate limits on “safe” separation distances, exposure times, et al. • Thereby establish risk metrics and mitigation strategies

  27. Example: Vehicle-Borne Explosive Threat • Overpressure and impulse determine building damage • Expressions scale with distance and explosive payload (limited by vehicle capacity) • Estimate “safe” distances and payloads (risk factors) to yield risk metrics and inform mitigation strategy

  28. 1800 1600 1400 Total Destruction 1200 Failure of Concrete Walls DISTANCE (feet) 1000 Minor Building Damage 800 Window Glass Breakage/Some Minor 600 Building Damage 400 200 0 0 10 100 1000 10000 50000 NET EXPLOSIVE WEIGHT (lbs-TNT) Explosive Threats: Effect of Distance and Payload on Risk Factors

  29. Example: Internal Contamination from External Chemical Vapor Threats • The percentage of contaminated room air as a function of time is given by a simple first order differential equation • The solution is the exponential function, C = C0eRt • Calculation of the time, t, knowing, the rate of air exchange across the facade, R, yields a risk metric • Shelter-in-place as a mitigation strategy?

  30. 600 500 400 Minutes Leaky 300 Air-Tight 200 100 0 0 10 20 30 40 50 60 70 80 90 Percentage of Contaminated Room Air Percentage of Room Contamination as a Function of Time

  31. Time and Distance Risk Factors: Recurring Physical Models • Harmonic oscillator (mass on a spring); f = -kx • Point sources of energy; Intensity ~ 1/r2 • Exponential increase or decay; rate of change with time or distance is proportional to the amount of “stuff” present

  32. The Building as a Harmonic Oscillator: Response to Explosive Forces • Time duration of explosive force (relative to the natural period of vibration) determines if overpressure or impulse dominates

  33. Point Sources of Radiated Energy: Vulnerability to Radiofrequency Interception

  34. Exponential Decay:Radioactivity (R) of Isotopes • R = Roe-λt • Also describes room contamination shown previously

  35. What About Non-Physical Threats like Property Theft? • Threat = theft of property in a facility • Risk factor = unauthorized physical access* • Measure the number of unauthorized entries with existing systems; indirect measurement of risk • Apply enhanced risk mitigation if required • Measure again after deployment of enhanced mitigation * Note! Thefts can occur courtesy of authorized individuals too. Must identify other risk factors

  36. More Non-Physical Threats:Computer Virus Persistence • Social network (e.g., e-mail) connectivity described by power law, P(k) = k-γ; so called “scale-free” distribution • Connectivity (i.e., number of links/node), k, directly affects the probability of a virus infecting other nodes • Network size, connectivity, and number of nodes are risk factors for computer virus persistence Infection Dynamics on the Internet; David B. Chang and Carl S. Young, Computers and Security, 24, 280-286 (2005)

  37. Living with Uncertainty: Measuring the Likelihood Component of Risk

  38. Standard Deviation and Uncertainty The Certainty of Uncertainty • Randomly occurring incidents or stable scenarios-the uncertainty is characterized by the standard deviation, σ ~ √N (N = number of incidents) • Good news! We are certain about the uncertainty for random or stable incident scenarios • Establish confidence intervals for the likelihood of future incidents

  39. Uncertainty Gives Way to Anxiety • You still feel uneasy about the inherent uncertainty of security risk • How can you relieve the stress?

  40. Decreasing UncertaintyMore Incidents! • N = the number of security incidents • σ = standard deviation = uncertainty in distribution of randomly occurring incidents • Let’s say σ = N/10. σ = √N = N/10 so N = 100 • You won’t be happy unless σ = N/100 • σ = √N = N/100 so N = 10,000 • Do you really want more incidents to reduce uncertainty?

  41. Increasing UncertaintyGive the Bad Guys More Options • You are the security director of a large company • A terrorist attack against one of your company’s 10 facilities is virtually certain • Probability of attack at a single facility is 1/10 • You recommend building 10 new facilities • Probability is now only 1/20! • See previous job advertisement for security director opening

  42. Uncertainty Can Be Your Friend!Increasing Noise • You are on a secret mission and concerned about electronic surveillance by the enemy • Assume: transmitter signal (S) and ambient noise (N) are uncorrelated and radio frequency noise is random • Signal averaging limit = S/N = √n(S/σ); σ = the standard deviation (uncertainty) of one measurement caused by noise, n = # measurements in enemy signal averaging • Want the enemy to have large uncertainty in his/her measurement (i.e., large σ)

  43. Uncertainty and the Vulnerability Component of Risk* • Overpressure and impulse cause injuries mostly via glass breakage; recall scaling with distance and explosive payload • Characterize uncertainty in distance and payload as normal distributions • Model window behavior as a mass on a spring • Determine the window “probability of protection” in terms of potential distance and payload scenarios * Probabilistic Estimates of Vulnerability to Explosive Overpressures and Impulses; D.B. Chang, C.S. Young, The Journal of Physical Security, Volume 4(2), 2010

  44. Lessons on Uncertainty • There is always uncertainty in measuring the likelihood component of risk • The degree of uncertainty is known for random or stable threat scenarios • The degree of uncertainty is unknown for all other threat scenarios • Need to recognize which is which

  45. Putting it All Together:A Risk Assessment and Mitigation Framework

  46. The Risk Management Process Organizational Tolerance for Risk Operational Requirements

  47. Example: Visual Monitoring • Control = visual monitoring • Method = CCTV • Operational requirement = identification-level • Current operational capability = recognition-level • Camera and monitor performance specification = 60 pixels/linear foot of the horizontal scene • Cost of upgrade to meet enhanced operational requirement = ? • Directly relate risk to the cost of risk mitigation

  48. Threats, Risk, Fear and Uncertainty Summary • Threats are bad (but they’re only relatively bad) • Fear of threats is also bad (but not for security consultants) • Directors of security manage risk by making risk component trade-offs (but for a lot less than $1M a year!) • Risk is inherently uncertain (but what isn’t?) • Uncertainty can be reduced (but at a price)

More Related