topic Re: Risk management in Industry News

Risk management

rslade — Tue, 22 May 2018 01:04:13 GMT

The Lt. Gov. of Texas says school shootings aren't happening because of guns. Instead, he blames:

- violent video games

Oddly, here in Canada, we have violent video games. Probably exactly the same ones that they have in the States. All of my grandchildren have played them. None of them have shot up their schools, yet.

- removing religion from schools

I suspect that, here in Canada, we started removing religion from schools earlier than in the States, and have gone farther in that regard. We still have fewer school shooting funerals. (Hockey bus crash funerals, yes.)

- irresponsible gun owners

No doubt some people will be surprised to find that people are allowed to own guns in Canada. And some of our gun owners are extremely irresponsible. (We just had a court case of someone who was astoundingly irresponsible in handling a gun.) I suspect that this gets closer to the heart of the issue, but it still doesn't seem to account for the difference in numbers of school shootings between the US and Canada.

- too many entrances to schools

Here in Canada we have lots and lots of entrances to our schools. Very few result in school shootings.

- unarmed teachers

It was probably a very good thing that I wasn't issued a gun when I was teaching elementary school. Not that there weren't times that I would have dearly liked to use one. (Actually, I would have been tempted much more during the times I taught in colleges and universities. And for ISC2. [Especially when I had Cisco employees in the seminars.] But I digress.)

Re: Risk management

Baechle — Tue, 22 May 2018 14:40:14 GMT

Robert,

Although you titled this discussion Risk Management there are lots of relevant security issues in this discussion that we can address. I'm a little concerned that you may have hijacked the forum for a debate on gun control though.

As a Risk Management discussion, I think that this is clearly manifestation of an Insider Threat: In nearly every school shooting that has made it on the news, the shooter was a current or recently terminated (graduated, suspended, etc.) student. The shooting (school, workplace, etc.) itself is a symptom of the Insider Threat. The symptom could have materialized several different ways including violence without guns (bombs, bladed weapons, etc.), property damage (arson, vandalism, destruction of IT infrastructure, etc.), and several other outcomes. Unlike an external attacker where we are figuratively playing whack-a-mole with symptoms (probes, attacks, and asset recovery), we have the ability to interact with the insider and both identify and interdict the root cause before it manifests as an active threat.

This case first illustrates that there is a possibility that the popular Insider Threat detection model that typically rests with Information Systems & Technology Security ("IS&TS) staff is wrong. I believe that the IS&TS have a part to play in detecting behavioral baseline changes within the IT systems, but the scope of "sensors" is limited to IS&T, and not to the bigger picture.

The case secondly illustrates that the method that we deal with potential Insider Threats that we detect may be inappropriate. It may be that the cultural norm is to avoid dealing with people in conflict, distress, experiencing poor mental health, and other social issues because those relationships take much more effort than healthy ones. Actions that exacerbate this would be (a) termination of the relationship (suspension or expulsion from school, firing or suspending employment, etc.), or (b) simply ignoring the situation until we are forced to deal with it (because the Insider is pointing a gun at us, or deleted all our files).

To that end, I think that we currently lack proper focus (as opposed to magnitude of attention) on Insider Threat and that is derailing our ability to manage the risk properly. I have seen very little in the way of actual studies on Root Cause Analysis for malicious insiders except for a handful of case studies by the U.S. Government. Does anyone have public or scholarly resources on Root Cause Analysis for motivations of Insiders to resort to a malicious action?

Sincerely,

Eric B.

Re: Risk management

DAlexander — Wed, 23 May 2018 02:15:36 GMT

rslade,

I quickly progressed through several stages of thought when I read your posting. My first thought was confusion as I suspected it was intended for some gun control forum and accidentally posted to an information security site. I soon realized that it was not accidental and transitioned to my second thought; indignation from what I perceived as someone with no real-life experience in the U.S. attempting to chime in on a predominately American problem. This led to thoughts of irritation as I felt this person was trying to persuade readers that Canada is somehow superior to the U.S. because there are fewer mass shooting events north of the border. After re-reading your post and some deeper thought however, I realized that this is actually a great metaphor for information security and the role that, as your title suggests, risk management plays.

The Columbine High School massacre was the first major school shooting event in the U.S. and tragedies like that have sadly become more common over the last nearly 20 years. No doubt, the risk has increased but what specifically has changed over the last two decades to cause this? I recommend we dissect the issue based on something we know well - risks are comprised of vulnerabilities and threats.

Vulnerabilities are defined as flaws, loopholes, oversights, or errors that can be exploited. One could argue that weak law enforcement, lack of background checks, and the soft-target nature of schools all qualify as vulnerabilities. The problem is that none of these have changed significantly over the last 20 years so it’s difficult to attribute the increased risk to a rise in vulnerabilities.

Threats are defined as any natural or man-made event that could have some type of negative impact on the organization. In this context the threat would be the shooting act itself. Guns, people, and laws are not events therefore, cannot easily be labeled as threats. Even if one tried to make the case that they are threats, there has not been a significant increase in the number of guns, students, or laws in the U.S. over the last 20 years so they cannot logically be factors that have increased the overall risk. I propose that there is one important event, or trend, that has changed over the last 20 years and can be considered an indirect threat resulting in the increasing risk of school shootings.

Today it seems anyone and everyone can become an instant celebrity. Starting in the mid-90’s with “reality” TV to the YouTube and Twitch contributors today, ordinary people can do in minutes what used to take professionals years to accomplish. News and social media have enabled the spread of information at light speed and promote both good and nefarious agendas. People seeking fame and wanting to feed their narcissism understand how easy it is to become a household name. To demonstrate this I encourage anyone to go out on the street and ask random people to name three school shooters or three vice presidents and see what happens.

The rise of social media and the speed at which news (good, bad, real ,or fake) is promulgated is arguably a major factor in the risk of school shootings. The real question now is, how do we manage that?

Re: Risk management

Baechle — Wed, 23 May 2018 15:21:55 GMT

Daniel (@DAlexander),

Sensationalism as a contributor to bad action is an interesting and appealing hypothesis.

As laws are implemented that require disclosure of hacks and breaches of corporate systems, do you think this will:

(a) Increase the sensationalism, and therefore the number of people that attempt hacking and intrusions (e.g. Snowden/Manning imitators and copycats)?

(b) Simply increase the awareness of a hidden statistic that was previously underrepresented in the media (that these types of events are prevalent, just not reported in the media)?

(c) Other (Please Explain)?

Sincerely,

Eric B.

Re: Risk management

Dain — Thu, 24 May 2018 03:53:01 GMT

@DAlexander wrote:
someone with no real-life experience in the U.S. attempting to chime in on a predominately American problem.

this strikes me as very odd, often times a view from outside is just the thing to help isolate a problem, like comparing equivalent risk factors that are highlighted as potential causes for an issue

The Columbine High School massacre was the first major school shooting event in the U.S.

Depends on your definition of major, ignoring Kent State and Jacksonville in the 70s there were plenty of examples of this pre Columbine (look up "I don't like mondays" which oddly enough I learned about on the original CISSP forum, I was however already a fan of the boomtown rats)

Vulnerabilities are defined as flaws, loopholes, oversights, or errors that can be exploited. One could argue that weak law enforcement, lack of background checks, and the soft-target nature of schools all qualify as vulnerabilities. The problem is that none of these have changed significantly over the last 20 years so it’s difficult to attribute the increased risk to a rise in vulnerabilities.

I would argue that the 2004 expiration of the 1994 Federal Assault Rifle Ban would qualify as a significant change in law enforcement status as far as legal access to a certain class of highly accurate, and deadly firearms.

Even if one tried to make the case that they are threats, there has not been a significant increase in the number of guns, students, or laws in the U.S. over the last 20 years

Actually, while the % of households with firearms has declined, the number of firearms in the US has roughly doubled since 1968 - estimated at ~300 million guns in all - 101 guns per 100 people. As the population has gone up by ~22% I think it would be reasonable to extrapolate that the population of any given selection of "likely shooters" has probably increased roughly the same amount, even if active shooter ages only represented 10% I would still call that a significant increase.

News and social media have enabled the spread of information at light speed and promote both good and nefarious agendas.
The rise of social media and the speed at which news (good, bad, real ,or fake) is promulgated is arguably a major factor in the risk of school shootings. The real question now is, how do we manage that

I think your on to something here, tho I think you've completely missed the root cause. Since 1982 approximately 55% of mass shootings were committed by white males (i had to do the math, I give myself a couple of points margin of error)

So, rule #1, when analyzing data there is an absolute requirement to get accurate data -> more guns, more people who might be a larger threat if they have access to guns. We'll ignore the issues around medical support, the ignorance of blaming autism or ritalin.

Social media has certainly brought a lot of things to the masses faster than ever before.

Like a white male president who constantly blows the dog whistles of xenophobia (immigrants are animals, muslims are terrorists) mysoginy (grabbed them by the...), racism (Mexican judge can't be impartial, nazis and white supremacists are fine people), anti-lgbtq (none in his military, thanks), attacks the first amendment, BLM, and peaceful protests, lies pathologically etc

Like the state sponsored executions of people of color that are caught on tape but result in no justice for the executioners.

Like the CEOs of home depot, or Amazon, or Walmart whose companies pay comparatively no taxes, and get rich while the folks working in the stores have to rely on welfare to get by

Like the countless examples of religious people in positions of power abusing children and getting sheltered by the church itself.

Convicted thugs who ignore the constitution and their promise to serve it , who are sexual predators, racists, & child molesters (Roy Moore is just the tip of the iceberg) RUNNING FOR LEGISLATURE, and receiving support.

I could go on, but you probably get the point.

Money goes to the rich, instead of to schools, or medical programs, or food for the hungry.

Suddenly (in the last few years) we've seen a distinct uptick in (typically ignorant by definition) white male assaults on schools, on minorities, on those who don't believe in the same god. Because they were turned down for a date, or hate people of color... Why do they act? Why not? The state itself shows us that this behavior is ok. The president needs his evangelical base too much to clearly and obviously disavow the KKK and white supremacy.

So what are the actual contributing Risk Factors?

More people? Definitely. we can't control population, but could probably mitigate some of the risk with supports, money for better schools (smaller classes, more tangential support), help for the poor, etc.

More Guns? Definitely. Can't seem to get decent legislation passed since 1994 tho, particularly with the NRA purchasing our legislative branch at will.

Social Media? Definitely. The down side of getting to raise awareness about the things that need to be addressed, is that the sociopaths may take it as calcifying their belief that they, like LE system, the government, the CEOs (who, hmm - are all predominantly white males) can do what they want in the US - those other people are animals, or heathens, or worth less as a group than anything else our government spends money on

White Males? Statistically, for sure. Certainly there are other causative factors, but ignorant white males with easy access to guns seems to be a large part of this problem.

Oh and tho I haven't analyzed the data, seems like canada is better at a whole lot of those things

Re: Risk management

DAlexander — Thu, 24 May 2018 07:14:18 GMT

@Dain,

Based on your response, I am concerned that I may have written my post in such a way that led readers to, as they say, “miss the forest for the trees.” My response to the original post was intended to simply propose a hypothesis about one of many possible factors contributing to the increased risk of school shootings and tie that to risk management as a whole. The ultimate goal was to continue the discussion on the risk management process by following a thread about a topic that many (in the U.S. and elsewhere) are familiar with. That said, I have two main comments about your response.

First, you described your “Rule #1” then continued your post by not adhering to that same rule. For instance, who validated the race and gender of each of the shooters since 1982 and how? Was the information gathered from a survey that mandates respondents only check one box or could they check multiple boxes? Was it determined by looking at their social media pictures and assigning a race and gender based on appearance? Were any of the shooters potentially born a different gender? Statistics are like news sources themselves…one must account for any bias before accepting them as valid. Unfortunately, (and not implying this is you) most consumers of statistics don’t have the time or knowledge of the science behind statistics to validate what they hear from the talking heads on [**insert news outlet here**] as accurate. This is why I did not present any statistics but rather my perception of what has changed over the last two decades when mass-shooting events have become more frequent. This is also why I will not lengthen this response by refuting your statistical sources including your final offensive claim regarding white males being “statistically” a risk factor (FWIW, I am not even a member of that statistical category and find that claim racist).

Second, one cannot simplify the cause to a problem as complex as what we are discussing here with a simple all-encompassing solution. As technicians, we are all naturally drawn to the binary, yes or no, on or off answers. If the risk were as simple as “white males are the problem” then we should be able to mitigate the risk with an access control like we do when “inbound port 80 traffic is the problem.” Unfortunately, the problem is much more complex than race and it wouldn’t have done anything to prevent the actual earliest school massacre in the U.S. (which I suppose I should have used as an example). Look up “Enoch Brown schoolhouse massacre 1764” for an example with more than twice the deaths as Kent State and, by the way, not committed by a white male and well before the current U.S. president was even born.

Ultimately, I feel this thread has highlighted an important aspect to both society and information security. We cannot apply a simple fix to a complex problem and expect it to be a perfect solution. We cannot apply a blanket policy that may work in another country to the U.S. and expect it to prevent all school tragedies. Likewise, we cannot blindly apply a security patch that worked in a Microsoft lab to a production environment and expect it to work flawlessly. What we can do is watch trends, assess risks, and know our systems.

Re: Risk management

DAlexander — Thu, 24 May 2018 07:29:55 GMT

@Baechle

Great questions! I think all three options you presented are valid however, if I had to pick either (a) or (b) then I’d lean towards (b) “Simply increase the awareness of a hidden statistic that was previously underrepresented in the media (that these types of events are prevalent, just not reported in the media).” I’ll suggest a candidate for (c) in a moment.

I agree less with (a) because while these laws may lead to increased sensationalism of the acts themselves, it would probably not be the primary motivation for people to begin maliciously hacking others. The hypothesis I proposed was that the act of making mass-shooters instant celebrities is contributing to increased risk of future mass-shootings. Unlike those types of events however, nefarious online actors typically want to avoid the spotlight and are hardly ever named in the media.

Considering all phases of a cyber-attack require not being detected then fame would seem to be the last thing they’d want. The only place I suspect hackers would want notoriety is underground where, much like street gangs, they are known by nicknames and symbols that the general public cannot make sense of. I mentioned 4chan to a relative of mine once and she thought it was a new drink at Starbucks. If they do indeed want notoriety then it still doesn’t convince me that it would increase the number of people attempting hacks and intrusions. The media, and often the law enforcement personnel investigating the crimes, can rarely attribute cyber-crimes to specific perpetrators until the event itself is ancient history (days to weeks in today’s short-term public interest capacity…unless it’s a Russia investigation – sorry, couldn’t resist). That in itself would seem to turn the glory-hounds off.

The (c) that I envision is actually a positive result of the new laws. I think that by publicizing breaches it will motivate executives to invest more in information security, motivate information security professionals to invest more in their own craft, and motivate the tech industry as a whole to develop products in a more security-oriented manner. Shame, like narcissism, is a powerful motivator

Re: Risk management

Baechle — Thu, 24 May 2018 14:09:52 GMT

Daniel,

@DAlexander wrote:
I agree less with (a) because while these laws may lead to increased sensationalism of the acts themselves, it would probably not be the primary motivation for people to begin maliciously hacking others. The hypothesis I proposed was that the act of making mass-shooters instant celebrities is contributing to increased risk of future mass-shootings. Unlike those types of events however, nefarious online actors typically want to avoid the spotlight and are hardly ever named in the media.

I think that this comment may highlight one of the fundamental complexities in doing risk management. We rely too much on biases or popular media concepts of the threats we are attempting to mitigate.

I concur that for several modes of attack (such as theft of intellectual property or credit card data over the Internet) the longer the attack stays undiscovered, the higher chances of both success and illicit usability of the stolen information. However, when attacks eventually surface, notoriety for orchestrating the attack doesn't just stay within the shadows of the Dark Web. Based on a brief survey of news releases and interviews by Insider Threats, I hadn't found one that stated they believed they were going to get away with it. (If someone finds an article or an interview with an noted Insider Threat actor that said they believed they weren't going to get caught, please reply with a link!).

Take for example, "exfocus," one of the personalities wrapped up in the mirai botnet:

http://www.nj.com/news/index.ssf/2017/12/inside_the_massive_cyber_scam_launched_by_a_kid_fr.html

Exfocus was well known as an independent personality even if his true identity would take longer to discover. The fame and attention you garner as an alter ego is just as rewarding as if it were being attributed to a true identity. Possibly more so in some cases for the ability to elude being identified in true name.

Re: Risk management

Baechle — Thu, 24 May 2018 16:33:49 GMT

Gentlemen,

Both of your statements in this discussion strike a chord resonating with me about the veracity of information feeding decision making. Risk management should be an objective process, but occasionally we have to make estimates using subjective information. There is a danger in using opinion when there is real data available, and then there is a further danger in misusing the real data in establishing a narrative.

The first problem brought to bear in the recent exchange is that of Questionable Cause (Concluding that one thing caused another, simply because they are regularly associated). As @rslade pointed out initially and @Dain then highlighted, Canada is an example of a country with laws permitting personal firearms ownership but without comparable rates of school violence. I suggest that this occurs as much in other risk management discussions, causing us to argue over a symptom or even a byproduct instead of the root cause.

The second problem brought to bear in this exchange is that of Ignoratio Elenchi or commonly the Red Herring (Attempting to redirect the issue to another that the person doing the redirecting can better respond to), and Causal Reductionism (Assuming a single cause or reason when there were actually multiple causes or reasons) to reach a Just-in-Case (Making an argument based on the worst-case scenario rather than the most probable scenario, allowing fear to prevail over reason) conclusion.

@Dain wrote:
So, rule #1, when analyzing data there is an absolute requirement to get accurate data -> more guns, more people who might be a larger threat if they have access to guns.

This hypothesis is not falsifiable because it is always speculative. This particular scenario is one that I often see as the basis for why security professionals and their postulations are mistrusted. Although there are more guns available, a regression analysis of events shows there is an overall decline in mass murder gun violence between 2006 and 2016 and significantly more of a decline in schools.[1] This whole conversation diverts us from the analysis of the root cause question: "How do we detect and prevent manifestation of the violent Insider Threat, who may resort to violence regardless of the instrument chosen to implement their actions."

I propose that a better hypothesis would be, "Do more guns equate to an increase in mass murder violence, including and especially at schools?" Since the answer is, "No," then we should temporarily eliminate this as a root cause and leave it in the contributing factor pile. Mitigating against contributing factors is a valid option in risk management however, it should be an alternative to an inability to mitigate against the root cause.

There is a danger here in using Rationalization (Offering an inauthentic excuse for the claim because we know the real reasons are embarrassing to share or harsher than the manufactured ones given). Using Rationalization to focus on mitigating a contributing factor is how we got to dumping a ridiculous level of password complexity upon users rather than admitting as security professionals were failing to properly protect password databases and authentication systems. The likely result of mitigating against contributing factors instead of the root cause as a result of Rationalization is in a repeat catastrophic (violent) event using another instrument or approach.

I'm sorry @Dain, but the remainder of your facts appear to be more collisions of Questionable Cause leading to Rationalization (the bad kind). If we are going to continue to use Insider Threat violence as a hypothetical case study, could you please reference the basis for your argument?

In response to @DAlexander, I heard/read a National Public Radio article about school violence in America. From my memory, they stated there are approximately 1300 deaths per year in the United States. If that statistic is true, then only a minority (possibly the most sensational?) of them appear to be making the news.

Sincerely,

Eric B.

[1] Allie Nicodemo & Lia Petronio, Schools are safer than they were in the 90s, and school shootings are not more common than they used to be, researchers say, Northeastern University News (Feb 26, 2018), Retrieved from, https://news.northeastern.edu/2018/02/26/schools-are-still-one-of-the-safest-places-for-children-researcher-says/

Re: Risk management

Baechle — Thu, 24 May 2018 17:05:23 GMT

Dain,

@Dain wrote:
Actually, while the % of households with firearms has declined, the number of firearms in the US has roughly doubled since 1968 - estimated at ~300 million guns in all - 101 guns per 100 people. As the population has gone up by ~22% I think it would be reasonable to extrapolate that the population of any given selection of "likely shooters" has probably increased roughly the same amount, even if active shooter ages only represented 10% I would still call that a significant increase.

No, that's not a reasonable extrapolation unless you have the results of studies to back it up. You have to do the studies and the math. Has the rate of active shooter incidents increased by 22%, offset by the percentage of households that have declined in overall gun ownership? Otherwise it's just Wishful Thinking (When the desire for something to be true is used in place of/or as evidence for the truthfulness of the claim). If we're just making up statistics, it could also be considered Lying with Statistics.

Re: Risk management

Dain — Fri, 25 May 2018 03:20:26 GMT

good point, the stats I pulled were from various non-partisan gov't sources (and generally were close enough from disparate sources to suggest reasonable expectation of validity) . Were I, say referencing them for a College Paper, I doubt my 10 min of bouncing round the interwebs would count for much.

The shooter race stats were LE analysis based on I believe observation of those committing the crime, again probably not exactly 1st level reference material, but it did seem to jive across multiple sources.

I also agree that theres no easy solution, much like IT. A firewall (or bullet proof glass) only protects against certain threats, there needs to be multiple mechanisms to address the full scope of risk

now where have I heard that before?

Re: Risk management

Dain — Fri, 25 May 2018 03:32:38 GMT

I was replying specifically to the assertion that the population hasn't changed in 20 years, it definitely has, and in a statistically significant way.

Does that affect risk? maybe, maybe not, but the original assertion that the population was the same was incorrect and could not be used for risk analysis in anyway.

If i had studies to back up the extrapolation that a 20% overall population increase is likely to translate to a statistically significant increase in a portion of that population I wouldn't need to extrapolate 🙂

actually would that be interpolating?

Re: Risk management

Baechle — Fri, 25 May 2018 15:03:44 GMT

Dain,

@Dain wrote:
If i had studies to back up the extrapolation that a 20% overall population increase is likely to translate to a statistically significant increase in a portion of that population I wouldn't need to extrapolate 🙂

actually would that be interpolating?

I wasn't arguing semantics about the use of the word extrapolate. I was saying that extrapolation was an unsound practice given that there are metrics available that tell you (1) how much the population has grown, and (2) how many active shooters there were in prior years, including by age, ethnicity, and gender. EDIT My apologies - I apparently was saying that your metrics were not extrapolation based upon my understanding. My understanding of extrapolation assumes that there was an underlying set of metrics that was used, and then an estimate was made where no metrics were available. In this case, metrics were available, they simply weren't consulted. So instead, this was more like a "WAG" than an extrapolation. /EDIT

In fact, I think you would be hard pressed to find a study that proves your example. The population has increased, but the number of shooters has more or less stayed steady, if not declined.[1] The end result is a trend pointing to an overall decline in the percentage of shooters compared to the population.

EDIT ~~Specifically~~ Throughout this conversation, I was hypothesizing a link between the process of ~~extrapolation~~ the WAG of risk metrics by security professionals and the very reason that there is an apparent issue with security professionals risk metric input being disregarded by organizational leaders. I propose that ~~extrapolation~~ WAGs are overused, potentially widely abused as being substitutes for extrapolation, and often way off an accurate estimate. /EDIT

I was replying specifically to the assertion that the population hasn't changed in 20 years, it definitely has, and in a statistically significant way.

Yes. That is supported by research.[2]

Does that affect risk? maybe, maybe not, but the original assertion that the population was the same was incorrect and could not be used for risk analysis in anyway.

I concur. That was a false premise.

Sincerely,

Eric B.

[1] Sandra L. Colby & Jennifer M. Ortman, Projections of the Size and Composition of

the U.S. Population: 2014 to 2060, United States Census Bureau 2 (Mar 2014), Retrieved from https://www.census.gov/content/dam/Census/library/publications/2015/demo/p25-1143.pdf; Emma Fridel, A Multivariate Comparison of Family, Felony, and Public Mass Murders in the United States, Northeastern University (Nov 8, 2017) Retrieved from, http://journals.sagepub.com/doi/abs/10.1177/0886260517739286.

[2] Colby & Ortman Supra note 1.

Re: Risk management

Dain — Fri, 25 May 2018 15:32:05 GMT

I think your point on misunderstanding (was it your point?) is getting proven well in this thread.

I wasn't actually pointing to the population of --> active shooters <-- increasing based on population, I was suggesting a potentially reasonable correlation between overall population increase and the (possibly) reasonable assumption that a 20% population increase would also show a statistically relevant increase in the population of individuals representative of "at risk of becoming active shooters" (e.g. for the sake of argument lets say statistically 98% that group is 14-20 year old males

Might be worthwhile to start a new thread with your thoughts on the issues that exist in InfoSec communicating risk to the business, where hard numbers are required (and available*) I would definitely be interested in reading it w/o the, err, overhead / confusion of relating specifics here back to the original thread and various points we've all made. I seem to be doing a pretty poor job of getting my points across with reference to the original thoughts, based on some of the replies. I was looking at this much more as a discussion on the specific points of Robs original post, while your take seems to be much more holistic (I think someone else pointed out this discrepancy as well, may well have been you)

* While I do agree with you that hard numbers and trusted source data (we all have to agree e.g. on source validity) as well as an agreed upon std for vulnerability criticality (cvss for instance) and asset value is a must in any business minded risk analysis, I also believe that we are still very much in the infancy of being able to build reliable "infosec actuary tables" which to some degree necessitates reasonable interpolation and extrapolation of existing data sets, as well as accepting some items as simple reality (if you don't practice at least a baseline level of good security you will be compromised in some way seems like a given)

Re: Risk management

Baechle — Fri, 25 May 2018 17:00:15 GMT

Dain,

@Dain wrote:
I think your point on misunderstanding (was it your point?) is getting proven well in this thread.

Yes, that was one of my points.

Might be worthwhile to start a new thread with your thoughts on the issues that exist in InfoSec communicating risk to the business, where hard numbers are required (and available*) I would definitely be interested in reading it w/o the, err, overhead / confusion of relating specifics here back to the original thread and various points we've all made.

We may be able to do that down the road. I believe that the emotional impact of the "school shooter" theme in this conversation is wearing off, and we're starting to reach a point where we're having a worthwhile and reasonable talk about this - in the context of Violent Insider Threat Risk Management.

I believe that this conversation is very difficult to have, precisely because it's emotionally charged (people that want guns, people that want gun control, etc.) and that detracts from the underlying professional conversation. In my personal opinion, I think we are doing a good job at having (or at least starting to have) a difficult conversation. I don't think we should run away or turn our backs on that. It's precisely this exercise, having a professional debate around a (emotionally, not technically) difficult topic, that is a skill we all need to continue to develop.

EDIT

I wasn't actually pointing to the population of --> active shooters <-- increasing based on population, I was suggesting a potentially reasonable correlation between overall population increase and the (possibly) reasonable assumption that a 20% population increase would also show a statistically relevant increase in the population of individuals representative of "at risk of becoming active shooters" (e.g. for the sake of argument lets say statistically 98% that group is 14-20 year old males

Ok. It's one of those days. I forgot to address this component. This argument is a self-fulfilling prophecy. More people are at risk of potentially becoming active shooters because there are more people - is not falsifiable, in other words, not testable. If we were to remove the potentially and change this hypothesis to be, In an increasing population, more white males aged 14-20 are at risk of becoming active shooters - we can actually test this.

We can go back and look at the factors that led the cohort of white males aged 14-20 who were active shooters and evaluate what contributed to their decision to become violent. Then we can take those factors and look for them in a statistical cross section over a few years of all white males aged 14-20 to see if those factors increased or decreased in correlation with the number of shooters in that group. If these factors did in fact correlate, then we can state that these are tentatively relevant risk factors. Finally, we can develop detective measures that then look for those risk factors.

The problem that I see, is that folks in the media are relying up rhetoric and speculation rather than actually conducting this and similar studies. The list of causes in @rslade's original post appeared to me to be an example of how we reach bad conclusions, and thus risk management decisions. I was merely extending his original thought of how we might be able to turn that around - and drawing similarities for where this causes problems in other risk management scenarios.

/EDIT

I was looking at this much more as a discussion on the specific points of Robs original post, while your take seems to be much more holistic (I think someone else pointed out this discrepancy as well, may well have been you)

We are currently standing on the precipice of a cultural shift in how Insider Threats are detected and managed; and like it or not a hearty sum of that burden is being thrown at IT Security professionals. Insider Threat detection and mitigation has existed for as long as people have gathered together in organization. In modern times, it has rested in corporate and nation-state Counterintelligence functions until there was laser tight media focus on the exfiltration and destruction of electronic data. Practically overnight it became an IT Security problem, when before IT Security was simply one input to the overall Insider Threat strategy.

So, like it or not protecting a school from a shooter is at least partially an Information Technology Security Risk Management discussion. If not, then IT Security Pros should be ready to defend why it's not. If we're willing to accept that it is, then IT Security Pros should be skilled at having this emotionally charged conversation diplomatically and be ready to dive into the risk metrics rather than WAG.

In My Humble Opinion... 😄

Sincerely,

Eric B.

Re: Risk management

Dain — Fri, 25 May 2018 17:19:33 GMT

@Baechle wrote:

We are currently standing on the precipice of a cultural shift in how Insider Threats are detected and managed; and like it or not a hearty sum of that burden is being thrown at IT Security professionals. Insider Threat detection and mitigation has existed for as long as people have gathered together in organization. In modern times, it has rested in corporate and nation-state Counterintelligence functions until there was laser tight media focus on the exfiltration and destruction of electronic data. Practically overnight it became an IT Security problem, when before IT Security was simply one input to the overall Insider Threat strategy.

So, like it or not protecting a school from a shooter is at least partially an Information Technology Security Risk Management discussion. If not, then IT Security Pros should be ready to defend why it's not. If we're willing to accept that it is, then IT Security Pros should be skilled at having this emotionally charged conversation diplomatically and be ready to dive into the risk metrics rather than WAG.

100% agreed - I think its extremely relevant based not only on the need for good data, but the lack of testable data as it relates to a specific risk factor / vulnerability.

I'll also happily concede the emotional piece, with 4/5 of my immediate family at a school everyday I get skittish when pundits on either side posit ridiculous tripe as root cause etc. (to Robs original post) the capability to rationally carefully discuss, is in this instance, something I could easily have worked harder at. (doesn't help that my usual communication style has been described nicely as blunt)

I was responding more from a perspective of "what could possibly be reasonable risk factors?" preferably ones that could be addressed in some way.

Much like may InfoSec risk and vulnerability issues I think there comes a time (namely when we get into psychology) where its next to impossible to build a true scientific data set as we simply don't have the control groups, or the ability to demonstrably isolate individual contributing factors, let alone tangential factors which may decrease or increase the risk of an "at risk individual" becoming a "perpetrator"

For instance we can easily prove/disprove the supposition that a 20% increase in overall population indicates a statistically significant increase in "at risk active shooter groups" (and could likely determine with fair accuracy what said increase is with a reasonable, experiential definition of said group) . However what we can't do scientifically is test the reasonable causative factors to determine which one is most likely to move an individual from "at risk" to "active shooter". Thus the response becomes more of an effort at minimizing the risk any way possible, based on the overal impact of the situation.

I really do hate the UI, replying in email with simple cut and paste would be so much quicker, the small box and all or nothing quoting makes this take so much more time (tho mouse vs trackpad is still easier)

Re: Risk management

Baechle — Fri, 25 May 2018 18:31:27 GMT

Dain,

Let’s start here.

Much like may InfoSec risk and vulnerability issues I think there comes a time (namely when we get into psychology) where its next to impossible to build a true scientific data set as we simply don't have the control groups, or the ability to demonstrably isolate individual contributing factors, let alone tangential factors which may decrease or increase the risk of an "at risk individual" becoming a "perpetrator"

I respectfully disagree that it’s nearly impossible to build a true scientific data set. I will say that not many people are actually going out and building that data set. Academically, the disciplines of psychology, sociology, and criminology are still very fractured and appear to just be crawling out of the pit of arguing over if either Jung or Freud was right. This is opposed to admitting that there may be several different contributing factors relevant and applicable only to each individual case, and not to others.

And then, Information Technology as a research discipline as opposed to an engineering discipline seems just taken its first yawning stretch of the morning. I only know of one ongoing study of Insider Threat within the technology world, by Doctoral Candidate Jan Buitron (@jbuitron) (sorry for tagging you here if it was a distraction, but I wanted to give you props for tackling this topic).

I will respectfully agree and amplify that we currently don’t have an effective ability to isolate individual contributing factors that indicate elevated risk. As a society, it is my personal observation that we are willing to sit back and let media, superstition, and bias establish those factors instead of admitting to ourselves that we haven’t collected the data yet.

I still have a problem with the foundation of your hypothesis. It assumes that the risk factors (which we don’t know) are directly linked to the size of the population rather than fluctuate based on some other conditions (which we haven’t bothered to figure out yet). I believe this is formally called a Regression Fallacy. You can make every argument from it including the opposite to your position. (a) With more people, there are more people in the world who are not at risk of becoming violent. (b) With more people, there are more people at risk of spontaneously turning into carrots. (c) With more people, there are more people at risk of making more people, and therefore potentially more carrots. (d) etc.

Care to take another stab at forming a hypothesis?

Sincerely,

Eric B.

Re: Risk management

jbuitron — Fri, 21 Jan 2022 15:03:58 GMT

Hi Eric,

Apologies for the late (belated reply). No need to apologize for tagging my studies in the Insider Risk\Insider Threat. I DID finish in June of 2018.

Then, life not only threw rocks in my way, it threw boulders. Boulders like to the 1000-plus homes burned to the ground in the cities of Superior and Louisville on 12-30-2021. I have still yet to publish my dissertation.

Keep up the creative thought, and work,

Best to you in all things,

Dr. Jan Shuyler Buitron

Doctorate of Computer Science in Cybersecurity, minor in Management

Master of Science in Cybersecurity

CISSP, MCSE, ITIL v2, v3

Senior Cybersecurity Systems Engineer\Lead)