Ask Smart Questions to Set Security Service Levels

Where are you sailing?

If one does not know to which port one is sailing, no wind is favorable. - Seneca

CISOs faces three key challenges that are specific to information security:

  • Security has proven nearly impossible to measure; and without objective, independent from the observer measurement, CISOs find it difficult to show the Board the value of information security, link it with business objectives, or reach an agreement on “How much security is enough”. The most powerful levers for increased investment remain the need of regulatory compliance, highly publicized security incidents, or raising fear about the consequences of a security incident.
  • Increasing security requires an increase in investment, but the relationship is not linear; twice the investment does not produce twice the security or half the risk. The role of the CISO would be seen more valuable if it could contribute to the bottom line of the organization, optimizing the investment in security.
  • Risk and Compliance are not enough; As popular as they are, a Risk approach or a Compliance approach, by themselves, can’t directly inform benefits realization or help tune the investment in security to the needs of the organization. Risk approaches are not objective, as different practitioners and different methods render results that are not comparable. Compliance approaches are not flexible enough to adapt to the needs of every organization.

The objective measurement of a certain attribute of a certain object should render always the same result independently of who makes the measurement, when the measurement is made , or what method is used to measure the attribute. Therefore, the scientific method uses Operational Definitions, as they provide an almost complete independence of the observer, method, or timing. While nonscientific definitions define an attribute by its essence or nature, operational definitions define attributes by the method used to measure the attribute. For example: “The weight of an object is the numbers and units that appear when that object is placed on a weighing scale”. Definitions of weight that are not operational, like “The amount of mass an object has”, are easier to understand intuitively, but don’t enable objective measurement.

A Security Requirement is an emergent property [1] (or attribute) that arises from a user using an information system. If the user or the information system don’t exist, or the user does not use the information system, the security requirement does not arise.
Using this observation, we can measure the Security Requirement by asking the user Smart Questions that reduce our uncertainty [2] about the security requirement. The user that can provide the most relevant answers is the owner of the information system, who normally an internal customer of the CISO. Every smart question (measurement procedure) becomes the operational definition of the security requirement. The difference between a common question and a Smart Question is that the second will naturally render an answer with units of measurement. [3][5]
We can move between different levels of abstraction to unearth the security requirements that arise at different levels; the organization using all the information it handles, a user using a single application, or a department using a set of key systems, will have interrelated but distinct security requirements that can be measured.
CISOs can’t use traditional definitions like Confidentiality, Integrity, Availability, Possession, Utility, Risk, Authentication, Authorization, Audit, Non-Repudiation or Accountability for measuring security objectively, as the definitions of these concepts found in the most widely used standards are never operational.

There are several categories of Smart Questions: Secrecy (4 questions), Privacy (15), Availability (6), Expiration (3), Retention (4), Quality (4), Intellectual Property (8), and Technical Objectives (4).
For example, let’s consider three Secrecy scenarios. If we were to use traditional definitions of security, or any risk analysis method, the analysis of these scenarios would be open to interpretation by different practitioners. For the sake of an example we may get results like:

  1. Confidentiality: High / Risk: (25) High
  2. Confidentiality: Medium / Risk (12) Medium
  3. Confidentiality: Low / Risk (5) Low

This type of analysis would not render results with units or actionable lists. and we don’t get clear success criteria that can drive management. What is an incident and what is success when security requirements are analyzed using traditional methods and traditional definitions stays open to interpretation, which does not help to manage security. On the other hand, if we ask the owner of the secret the following Smart Questions related to information use;

  • a)Who would you want to share this information with, and for how long?
  • b) Who would you not want to share this information with?

We will obtain two lists, the list of the audience that can be trusted with the secret and everyone else. A very short list of possible answers for the same three scenarios could be:

  1. A: The Board / B: No one else.
  2. A: Internal users / B: External users.
  3. A: Everyone / B: No one.

In the first example, if the Board can’t access the information: that is an incident; if someone who is not in the board can access the information, that is an incident as well. On the other hand, every time the Board can access the information, we have succeeded, and when someone who is not in the Board fails to access the information, again we succeed. In the same way incidents are defined from success criteria, the definition of threats, vulnerabilities, weaknesses, and risks can be defined in relation to security requirements. The third example shows how these smart questions can be used universally. Every kind of system and use of that system, no matter how restrictive or public it is will give us success criteria that will indicate both when we are providing value and when an incident has occurred.
Let’s examine another use case. A company is evaluating using a DLP solution. We use traditional questions and determine that the system has a Very High Risk. Should we use DLP or not? The answer will not be determined by the measurement of risk or confidentiality assessment, as this type of measurement can’t point to any solution as particularly suitable for the use case. Using Smart Questions, we might find that only 3 persons use the system. This may drive the conversation towards choosing a more economical solution, like air gaping the system, and relying in physical access control instead.

In connection to all the measured security requirements, we can proceed to agree on service levels for security. A Service Level for Security is the rate and cost of success and incidents that are acceptable by the users or owners in a period. Depending on service level requested, we can find the investment that will be necessary to achieve that service level, and initiate a discussion where we can reach an agreement of what is the right balance between the investment made, and the service level for security that we can commit to. Unrealistic service levels would require disproportionate investment [4]. After a period of an agreement in place, we will be able to show the value that the information security brings, if we meet the security requirements repeatedly and within the agreed service level (both success and incidents), and this can steer the subsequent period of investment in security towards a greater value for the business and optimized investment.

The benefits of using smart questions are multiple:

  1. Security requirements can be measured objectively, eliminating the variability of performance that other methods suffer, depending how, who or when the measurement is taken.
  2. Security requirements are relevant to their context. This greatly helps directing security efforts towards controls that are relevant to the business.
  3. Security requirements are immediately actionable as the success criteria measured is specific enough to readily determine which security efforts will contribute to directly or indirectly meet them.
  4. The barrier of communication between the security professionals and the users disappears, as there is no need to explain no specialist’s concepts.
  5. Agreeing service levels for security becomes easier, as we can link investment, controls and security requirements.
  6. Demonstrating the value of security becomes easier, as the service levels make obvious the expected return (meeting the security requirements) for the investment .
  7. Information owners, who are often internal customer can classify information is a way that is more significant for the business , as there are objective security requirements to use as reference.

[1] Emergent Properties in complex systems are attributes that their constituent parts don’t exhibit. For example, ripples in the sand in a beach is an attribute that individual sand grains and air don’t exhibit by themselves. If there was no sand, or no air, the ripples would not exist. Attributes of ripples are for example their height or separation.
[2] A Measurement is the procedure of obtaining a reduction in the uncertainty of a number that is characteristic of an attribute.
[3] Using questions for measurement is a well-known method that is used in science when the human factor is present. Using questions is used extensively in polls, and it is used by Delphi method that was developed by the RAND Corporation in the late 1950s.
[4] Mayfield’s Paradox states that to keep everyone out of an information system requires an infinite amount of money, and to get everyone onto an information system also requires infinite money, while costs between these extremes are relatively low.
[5] Level of measurement is a classification that describes the nature of information within the values assigned to variables. The best known has four levels, or scales, of measurement: nominal, ordinal, interval, and ratio.
[6] Some Examples of Smart Questions. This is a small subset of all the know smart questions:

  • Under what circumstances should the information be destroyed?
  • When should the information be destroyed? When does this length of time start counting?
  • Who should control personal information, and for how long?
  • Who should not control personal information?
  • What are the valid uses of the personal information?
  • Should it be possible to identify the owner of the personal information?
  • How recent needs to be the information to be valid?
  • When are the information system supposed to be, up and working?
  • What is the minimum acceptable performance of the information systems measured in outputs per input per unit of time?
  • How long would a downtime of information systems would be acceptable?
  • How long is the shortest uptime of information systems that is acceptable?
  • In the event of the information system downtime, how many transactions can be lost?

  • If you liked this article, consider taking advanced ISMS training online via Udemy

    Continuous Improvement vs Compliance Audits and Risk Management

    In this video the pros and cons of the Compliance approach and the Continuous Improvement approach are weighed.

    Most ISMS standards emphasise Risk Assessment and Audit. These management practices leave other information security management practices in shadows, which is specially unfair if you consider the limitations risk assessments face. Creating a risk assessment method is very easy, as you can make many choices:

    • The scope (what's in, what's out)
    • The depth (think OSI levels and above to business processes)
    • The way you model the parts/objects of the organisation, their relationships, and the states of their life cycles.
    • Your threat taxonomy (there is not a single one widely accepted one at all depth levels)
    • The way you score the impact on assets (dollars, high-medium-low or 1-5 Confidentiality, Integrity, Availability scales and expansions or combinations thereof)
    • Controls taxonomy (there is not a single one widely accepted one at all detail levels. Many use the ISO27001 list)
    • How you combine threats, their probability, controls, their quality and impact to reach a Risk figure.

    The multiplicity of risk assessment methods and standards  makes exceedingly difficult to reuse or compare risk assessments, problem compounded with changes in the method design or even the way it is used. Very seldomly it is possible to compare this year's RA with the last years one, and comparing RA from different companies becomes an unattainable Saint Grail. A good risk assessment standard should meet the following criteria:

    • Reproducible. This means two different independent practitioners should get virtually the same work products and results.
    • Productivity (Added value) This means the work products should serve as inputs for:
    • Gauge how safe is the organisation;
    • Identify threats and weaknesses;
    • Choosing what processes are appropriate for fulfilling the security objectives;
    • Prioritising investment in security processes;
    • Quantifying investment in security processes.
    • Cost-effectiveness. Setting up a ISM system should be cheaper than operating it, just like the cost of choosing a security tool should be small in comparison with the cost of purchasing and using the tool.
    • Added value. This means the result of the process selection should be learnt from the process selection itself. If the process selection result is known beforehand, and the process selection is just a justification for a previously taken decision, the added value is nil,which negates any cost-effectiveness.

    O-ISM3 considers  the following management activities:

    • Risk Assessment (part of GP-3) - Considers assets, threats, vulnerabilities, impacts to get a picture of security and prioritise design and improvements.
    • Audit. Using the GP-2 ISM System and Business Audit process, checks are made on whether the process inputs, activities and results match their documentation.
    • Certify: Certification it evaluates whether process documentation, inputs, outputs and activities comply with a pre-defined standard, law or regulation. The certificate provides independent proof of compliance that third parties can trust. This practice is also performed using GP-2 ISM System and Business Audit.

    Additionally, and in equal footing:

    • Testing. Assessment of whether process outputs are as expected when test data is input. This is an aspect of TSP-4 Service Level Management.
    • Monitoring. Checking whether the outputs of the process and the resources used are within normal range for the purpose of detecting significant anomalies. This is also performed using TSP-4 Service Level Management.
    • Improving. Making changes in the process to make it better fit for the purpose, or to lead to a saving in resources. The removal of faults before they produce incidents, bottlenecks that hamper performance and making trade-offs are examples of process improvements.. This management practice needs information gained from evaluating, testing or monitoring the process. The gains from the changes (if any) can be diagnosed with subsequent testing, monitoring or evaluation. GP-3 ISM Design and Evolution provides a framework for monitoring.
    • Planning. Organising and forecasting the amount, assignment and milestones of tasks, resources, budget, deliverables and performance of a process. This is performed using TSP-4 Service Level Management.
      Evaluation. Required periodically to assess the outcomes of the ISM system.
    • Assessment. Using the GP-3 ISM Design and Evolution process, the following areas are assessed:
    • How well the process matches the organisation's needs and compliance goals expressed as security objectives.
    • How changes in the environment or management decisions in a process change the quality, performance and use of resources of the process;
    • Whether bottlenecks or single points of failure exist;
    • Points of diminishing returns;
    • Bench marking of processes between instances and other organisations.
    • Trends in quality, performance and efficiency.
    • Benefits realisation. Shows how achieving security objectives contributes to achieving business objectives, measures the value of the process for the organisation, or justifies the use of resources. This is performed using TSP-4 Service Level Management

    So, do Audit, and assess your risks, but don't let this drain all you energy from real management.

    If you liked this article, consider taking advanced ISMS training online via Udemy

    High-Medium-Low is bait for the Chewbacca Defense

    I find very surprising how popular it is to rate vulnerabilities, threats or risks using the High-Medium-Low scale or derivatives.

    In practice is notoriously inefficient and a wast of time, as it only feeds the Chewbacca defense.

    It does not promote either communication collaboration.

    The Chewbacca Defense at SouthPark

    The Original Chewbacca Defense

    If you liked this article, consider taking advanced ISMS training online via Udemy