Thursday, May 03, 2007

Schneier's quest for infosec perfection

Bruce Schneier, information security expert extraordinaire, writes a surprisingly limited column today explaining his recent interview in Silicon.com. In the commentary, Schneier essentially writes that if we could just have perfect software, hardware and networks, all of this information security stuff would be unnecessary.

As an econometrician employed in the information security industry for one of the largest financial processors, I found Bruce's perspective both shocking and unfortunately not atypical. Bruce inadvertently touches on the fact that many executives and decision-makers elect to increase the probability of negative outlier events in their information security environment by naively expecting perfection in the inputs. It is little different from Dr. Deming's infamous "Red Bead Experiment" where manufacturing perfection would occur if only the darn employees would listen to management's directive specifying perfect output.

Having served as a bank IT auditor in my previous capacity, I had countless interactions with bank managers who couldn't comprehend why the expensive, proprietary banking software system with an outlandish maintenance contract could be exploited with trivial efforts. "We pay them good money for that system to be perfectly secure!" Nor could they relate to the need to replace servers every three years, the very moment they went off of capital lease (instead, milking the asset for a few more free years of operation, at the expense of some hefty assumed catastrophic risk).

In all of these cases, perfection was usually demanded, yet the reality of human imperfection ignored. The very environments that lacked the financial and personnel resources for appropriate compensating controls in separation of duties had even higher expectations of their technology assets to provide perfection that magically absolved the risk from these limited resource decisions. Increasingly, I found the seeking of technology perfection to be a risk aversion behavior that was common when a manager was overwhelmed by the always changing, never comfortable enterprise risk environment.

Much of my independent work is on a model that anticipates this less-than-rational dynamic and provides a framework for controlling the risk (such as measures that reduce leptokurtic fat-tails where the math becomes rather fierce and the quantified financial impact analysis becomes absurd, instead pushing it towards a normal distribution of risk that lends to traditional risk management techniques). Instead of pursuing the path of avoidance by expecting perfection as Schneier has outlined, successful systems will recognize that risk is endogenous. Once we've accepted that condition, we can focus our efforts on more successful measures that handle it and keep most of the risk behavior controllable and manageable.

No comments:

Recent Posts

Older Posts