cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted
Community Champion

Risk management

The Lt. Gov. of Texas says school shootings aren't happening because of guns. Instead, he blames:

 - violent video games

Oddly, here in Canada, we have violent video games.  Probably exactly the same ones that they have in the States.  All of my grandchildren have played them.  None of them have shot up their schools, yet.

 - removing religion from schools

I suspect that, here in Canada, we started removing religion from schools earlier than in the States, and have gone farther in that regard.  We still have fewer school shooting funerals.  (Hockey bus crash funerals, yes.)

 - irresponsible gun owners

No doubt some people will be surprised to find that people are allowed to own guns in Canada.  And some of our gun owners are extremely irresponsible.  (We just had a court case of someone who was astoundingly irresponsible in handling a gun.)  I suspect that this gets closer to the heart of the issue, but it still doesn't seem to account for the difference in numbers of school shootings between the US and Canada.

 - too many entrances to schools

Here in Canada we have lots and lots of entrances to our schools.  Very few result in school shootings.

 - unarmed teachers

It was probably a very good thing that I wasn't issued a gun when I was teaching elementary school.  Not that there weren't times that I would have dearly liked to use one.  (Actually, I would have been tempted much more during the times I taught in colleges and universities.  And for ISC2.  [Especially when I had Cisco employees in the seminars.]  But I digress.)


............
This message may or may not be governed by the terms of
http://www.noticebored.com/html/cisspforumfaq.html#Friday or
https://blogs.securiteam.com/index.php/archives/1468
16 Replies
Advocate I

Re: Risk management

Robert,

 

Although you titled this discussion Risk Management there are lots of relevant security issues in this discussion that we can address.  I'm a little concerned that you may have hijacked the forum for a debate on gun control though.

 

As a Risk Management discussion, I think that this is clearly manifestation of an Insider Threat: In nearly every school shooting that has made it on the news, the shooter was a current or recently terminated (graduated, suspended, etc.) student.  The shooting (school, workplace, etc.) itself is a symptom of the Insider Threat.  The symptom could have materialized several different ways including violence without guns (bombs, bladed weapons, etc.), property damage (arson, vandalism, destruction of IT infrastructure, etc.), and several other outcomes.  Unlike an external attacker where we are figuratively playing whack-a-mole with symptoms (probes, attacks, and asset recovery), we have the ability to interact with the insider and both identify and interdict the root cause before it manifests as an active threat.

 

This case first illustrates that there is a possibility that the popular Insider Threat detection model that typically rests with Information Systems & Technology Security ("IS&TS) staff is wrong.  I believe that the IS&TS have a part to play in detecting behavioral baseline changes within the IT systems, but the scope of "sensors" is limited to IS&T, and not to the bigger picture.

 

The case secondly illustrates that the method that we deal with potential Insider Threats that we detect may be inappropriate.  It may be that the cultural norm is to avoid dealing with people in conflict, distress, experiencing poor mental health, and other social issues because those relationships take much more effort than healthy ones.  Actions that exacerbate this would be (a) termination of the relationship (suspension or expulsion from school, firing or suspending employment, etc.), or (b) simply ignoring the situation until we are forced to deal with it (because the Insider is pointing a gun at us, or deleted all our files).

 

To that end, I think that we currently lack proper focus (as opposed to magnitude of attention) on Insider Threat and that is derailing our ability to manage the risk properly.  I have seen very little in the way of actual studies on Root Cause Analysis for malicious insiders except for a handful of case studies by the U.S. Government.  Does anyone have public or scholarly resources on Root Cause Analysis for motivations of Insiders to resort to a malicious action?

 

Sincerely,

 

Eric B.

 

Newcomer III

Re: Risk management

rslade,

 

   I quickly progressed through several stages of thought when I read your posting. My first thought was confusion as I suspected it was intended for some gun control forum and accidentally posted to an information security site. I soon realized that it was not accidental and transitioned to my second thought; indignation from what I perceived as someone with no real-life experience in the U.S. attempting to chime in on a predominately American problem. This led to thoughts of irritation as I felt this person was trying to persuade readers that Canada is somehow superior to the U.S. because there are fewer mass shooting events north of the border. After re-reading your post and some deeper thought however, I realized that this is actually a great metaphor for information security and the role that, as your title suggests, risk management plays.

 

   The Columbine High School massacre was the first major school shooting event in the U.S. and tragedies like that have sadly become more common over the last nearly 20 years. No doubt, the risk has increased but what specifically has changed over the last two decades to cause this? I recommend we dissect the issue based on something we know well - risks are comprised of vulnerabilities and threats.

 

   Vulnerabilities are defined as flaws, loopholes, oversights, or errors that can be exploited. One could argue that weak law enforcement, lack of background checks, and the soft-target nature of schools all qualify as vulnerabilities. The problem is that none of these have changed significantly over the last 20 years so it’s difficult to attribute the increased risk to a rise in vulnerabilities.

 

   Threats are defined as any natural or man-made event that could have some type of negative impact on the organization. In this context the threat would be the shooting act itself. Guns, people, and laws are not events therefore, cannot easily be labeled as threats. Even if one tried to make the case that they are threats, there has not been a significant increase in the number of guns, students, or laws in the U.S. over the last 20 years so they cannot logically be factors that have increased the overall risk. I propose that there is one important event, or trend, that has changed over the last 20 years and can be considered an indirect threat resulting in the increasing risk of school shootings.

 

   Today it seems anyone and everyone can become an instant celebrity. Starting in the mid-90’s with “reality” TV to the YouTube and Twitch contributors today, ordinary people can do in minutes what used to take professionals years to accomplish. News and social media have enabled the spread of information at light speed and promote both good and nefarious agendas. People seeking fame and wanting to feed their narcissism understand how easy it is to become a household name. To demonstrate this I encourage anyone to go out on the street and ask random people to name three school shooters or three vice presidents and see what happens.

 

   The rise of social media and the speed at which news (good, bad, real ,or fake) is promulgated is arguably a major factor in the risk of school shootings. The real question now is, how do we manage that?

Advocate I

Re: Risk management

Daniel (@DAlexander),

 

Sensationalism as a contributor to bad action is an interesting and appealing hypothesis.

 

As laws are implemented that require disclosure of hacks and breaches of corporate systems, do you think this will:

 

(a) Increase the sensationalism, and therefore the number of people that attempt hacking and intrusions (e.g. Snowden/Manning imitators and copycats)?

(b) Simply increase the awareness of a hidden statistic that was previously underrepresented in the media (that these types of events are prevalent, just not reported in the media)?

(c) Other (Please Explain)?

 

Sincerely,

 

Eric B.

 

 

Contributor I

Re: Risk management


@DAlexander wrote:

someone with no real-life experience in the U.S. attempting to chime in on a predominately American problem.


this strikes me as very odd, often times a view from outside is just the thing to help isolate a problem, like comparing equivalent risk factors that are highlighted as potential causes for an issue

 


   The Columbine High School massacre was the first major school shooting event in the U.S.

 

Depends on your definition of major, ignoring Kent State and Jacksonville in the 70s there were plenty of examples of this pre Columbine (look up "I don't like mondays" which oddly enough I learned about on the original CISSP forum, I was however already a fan of the boomtown rats)

 

 

   Vulnerabilities are defined as flaws, loopholes, oversights, or errors that can be exploited. One could argue that weak law enforcement, lack of background checks, and the soft-target nature of schools all qualify as vulnerabilities. The problem is that none of these have changed significantly over the last 20 years so it’s difficult to attribute the increased risk to a rise in vulnerabilities.

I would argue that the 2004 expiration of the 1994 Federal Assault Rifle Ban would qualify as a significant change in law enforcement status as far as legal access to a certain class of highly accurate, and deadly firearms.

 

Even if one tried to make the case that they are threats, there has not been a significant increase in the number of guns, students, or laws in the U.S. over the last 20 years 


Actually, while the % of households with firearms has declined, the number of firearms in the US has  roughly doubled since 1968 - estimated at ~300 million guns in all - 101 guns per 100 people.  As the population has gone up by ~22% I think it would be reasonable to extrapolate that the population of any given selection of "likely shooters"  has probably increased roughly the same amount, even if active shooter ages only represented 10% I would still call that a significant increase.

 


News and social media have enabled the spread of information at light speed and promote both good and nefarious agendas.

   The rise of social media and the speed at which news (good, bad, real ,or fake) is promulgated is arguably a major factor in the risk of school shootings. The real question now is, how do we manage that


I think your on to something here, tho I think you've completely missed the root cause.  Since 1982 approximately 55% of mass shootings were committed by white males (i had to do the math, I give myself a couple of points margin of error)

 

So, rule #1, when analyzing data there is an absolute requirement to get accurate data -> more guns, more people who might be a larger threat if they have access to guns.  We'll ignore the issues around medical support, the ignorance of blaming autism or ritalin. 

 

Social media has certainly brought a lot of things to the masses faster than ever before. 

 

Like a white male president who constantly blows the dog whistles of xenophobia (immigrants are animals, muslims are terrorists) mysoginy (grabbed them by the...), racism (Mexican judge can't be impartial, nazis and white supremacists are fine people), anti-lgbtq (none in his military, thanks), attacks the first amendment, BLM, and peaceful protests, lies pathologically etc

 

Like the state sponsored executions of people of color that are caught on tape but result in no justice for the executioners.  

 

Like the CEOs of home depot, or Amazon, or Walmart whose companies pay comparatively no taxes, and get rich while the folks working in the stores have to rely on welfare to get by

 

Like the countless examples of religious people in positions of power abusing children and getting sheltered by the church itself.

 

Convicted thugs who ignore the constitution and their promise to serve it , who are sexual predators, racists,  & child molesters (Roy Moore is just the tip of the iceberg) RUNNING FOR LEGISLATURE, and receiving support.

 

I could go on, but you probably get the point.

 

Money goes to the rich, instead of to schools, or medical programs, or food for the hungry.

 

Suddenly (in the last few years) we've seen a distinct uptick in (typically ignorant by definition) white male assaults on schools, on minorities, on those who don't believe in the same god.  Because they were turned down for a date, or hate people of color...    Why do they act?  Why not? The state itself shows us that this behavior is ok.  The president needs his evangelical base too much to clearly and obviously disavow the KKK and white supremacy.

 

So what are the actual contributing Risk Factors?

More people?  Definitely. we can't control population, but could probably mitigate some of the risk with supports, money for better schools (smaller classes, more tangential support), help for the poor, etc.

 

More Guns? Definitely.  Can't seem to get decent legislation passed since 1994 tho, particularly with the NRA purchasing our legislative branch at will.

 

Social Media? Definitely.  The down side of getting to raise awareness about the things that need to be addressed, is that the sociopaths may take it as calcifying their belief that they, like LE system, the government, the CEOs (who, hmm - are all predominantly white males) can do what they want in the US - those other people are animals, or heathens, or worth less as a group than anything else our government spends money on 

 

White Males?  Statistically, for sure.  Certainly there are other causative factors, but ignorant white males with easy access to guns seems to be a large part of this problem.

 

Oh and tho I haven't analyzed the data, seems like canada is better at a whole lot of those things

 

 

 

Newcomer III

Re: Risk management

@Dain,

 

   Based on your response, I am concerned that I may have written my post in such a way that led readers to, as they say, “miss the forest for the trees.” My response to the original post was intended to simply propose a hypothesis about one of many possible factors contributing to the increased risk of school shootings and tie that to risk management as a whole. The ultimate goal was to continue the discussion on the risk management process by following a thread about a topic that many (in the U.S. and elsewhere) are familiar with. That said, I have two main comments about your response.

 

   First, you described your “Rule #1” then continued your post by not adhering to that same rule. For instance, who validated the race and gender of each of the shooters since 1982 and how? Was the information gathered from a survey that mandates respondents only check one box or could they check multiple boxes? Was it determined by looking at their social media pictures and assigning a race and gender based on appearance? Were any of the shooters potentially born a different gender? Statistics are like news sources themselves…one must account for any bias before accepting them as valid. Unfortunately, (and not implying this is you) most consumers of statistics don’t have the time or knowledge of the science behind statistics to validate what they hear from the talking heads on [**insert news outlet here**] as accurate. This is why I did not present any statistics but rather my perception of what has changed over the last two decades when mass-shooting events have become more frequent. This is also why I will not lengthen this response by refuting your statistical sources including your final offensive claim regarding white males being “statistically” a risk factor (FWIW, I am not even a member of that statistical category and find that claim racist).

 

   Second, one cannot simplify the cause to a problem as complex as what we are discussing here with a simple all-encompassing solution. As technicians, we are all naturally drawn to the binary, yes or no, on or off answers. If the risk were as simple as “white males are the problem” then we should be able to mitigate the risk with an access control like we do when “inbound port 80 traffic is the problem.” Unfortunately, the problem is much more complex than race and it wouldn’t have done anything to prevent the actual earliest school massacre in the U.S. (which I suppose I should have used as an example). Look up “Enoch Brown schoolhouse massacre 1764” for an example with more than twice the deaths as Kent State and, by the way, not committed by a white male and well before the current U.S. president was even born.

 

   Ultimately, I feel this thread has highlighted an important aspect to both society and information security. We cannot apply a simple fix to a complex problem and expect it to be a perfect solution. We cannot apply a blanket policy that may work in another country to the U.S. and expect it to prevent all school tragedies. Likewise, we cannot blindly apply a security patch that worked in a Microsoft lab to a production environment and expect it to work flawlessly. What we can do is watch trends, assess risks, and know our systems.

Newcomer III

Re: Risk management

@Baechle

 

   Great questions! I think all three options you presented are valid however, if I had to pick either (a) or (b) then I’d lean towards (b) “Simply increase the awareness of a hidden statistic that was previously underrepresented in the media (that these types of events are prevalent, just not reported in the media).” I’ll suggest a candidate for (c) in a moment.

  

   I agree less with (a) because while these laws may lead to increased sensationalism of the acts themselves, it would probably not be the primary motivation for people to begin maliciously hacking others. The hypothesis I proposed was that the act of making mass-shooters instant celebrities is contributing to increased risk of future mass-shootings. Unlike those types of events however, nefarious online actors typically want to avoid the spotlight and are hardly ever named in the media.

 

   Considering all phases of a cyber-attack require not being detected then fame would seem to be the last thing they’d want. The only place I suspect hackers would want notoriety is underground where, much like street gangs, they are known by nicknames and symbols that the general public cannot make sense of. I mentioned 4chan to a relative of mine once and she thought it was a new drink at Starbucks. If they do indeed want notoriety then it still doesn’t convince me that it would increase the number of people attempting hacks and intrusions. The media, and often the law enforcement personnel investigating the crimes, can rarely attribute cyber-crimes to specific perpetrators until the event itself is ancient history (days to weeks in today’s short-term public interest capacity…unless it’s a Russia investigation – sorry, couldn’t resist). That in itself would seem to turn the glory-hounds off.

 

   The (c) that I envision is actually a positive result of the new laws. I think that by publicizing breaches it will motivate executives to invest more in information security, motivate information security professionals to invest more in their own craft, and motivate the tech industry as a whole to develop products in a more security-oriented manner. Shame, like narcissism, is a powerful motivator

Advocate I

Re: Risk management

Daniel,

 


@DAlexander wrote:

   I agree less with (a) because while these laws may lead to increased sensationalism of the acts themselves, it would probably not be the primary motivation for people to begin maliciously hacking others. The hypothesis I proposed was that the act of making mass-shooters instant celebrities is contributing to increased risk of future mass-shootings. Unlike those types of events however, nefarious online actors typically want to avoid the spotlight and are hardly ever named in the media.

 


I think that this comment may highlight one of the fundamental complexities in doing risk management.  We rely too much on biases or popular media concepts of the threats we are attempting to mitigate.

 

I concur that for several modes of attack (such as theft of intellectual property or credit card data over the Internet) the longer the attack stays undiscovered, the higher chances of both success and illicit usability of the stolen information.  However, when attacks eventually surface, notoriety for orchestrating the attack doesn't just stay within the shadows of the Dark Web.  Based on a brief survey of news releases and interviews by Insider Threats, I hadn't found one that stated they believed they were going to get away with it.  (If someone finds an article or an interview with an noted Insider Threat actor that said they believed they weren't going to get caught, please reply with a link!).

 

Take for example, "exfocus," one of the personalities wrapped up in the mirai botnet: 

 

http://www.nj.com/news/index.ssf/2017/12/inside_the_massive_cyber_scam_launched_by_a_kid_fr.html

 

Exfocus was well known as an independent personality even if his true identity would take longer to discover.  The fame and attention you garner as an alter ego is just as rewarding as if it were being attributed to a true identity.  Possibly more so in some cases for the ability to elude being identified in true name.

Advocate I

Re: Risk management

Gentlemen,

 

Both of your statements in this discussion strike a chord resonating with me about the veracity of information feeding decision making.  Risk management should be an objective process, but occasionally we have to make estimates using subjective information.  There is a danger in using opinion when there is real data available, and then there is a further danger in misusing the real data in establishing a narrative.  

 

The first problem brought to bear in the recent exchange is that of Questionable Cause (Concluding that one thing caused another, simply because they are regularly associated).  As @rslade pointed out initially and @Dain then highlighted, Canada is an example of a country with laws permitting personal firearms ownership but without comparable rates of school violence.  I suggest that this occurs as much in other risk management discussions, causing us to argue over a symptom or even a byproduct instead of the root cause.

 

The second problem brought to bear in this exchange is that of Ignoratio Elenchi or commonly the Red Herring (Attempting to redirect the issue to another that the person doing the redirecting can better respond to), and Causal Reductionism (Assuming a single cause or reason when there were actually multiple causes or reasons) to reach a Just-in-Case (Making an argument based on the worst-case scenario rather than the most probable scenario, allowing fear to prevail over reason) conclusion. 

 

@Dain wrote:

So, rule #1, when analyzing data there is an absolute requirement to get accurate data -> more guns, more people who might be a larger threat if they have access to guns.

This hypothesis is not falsifiable because it is always speculative.  This particular scenario is one that I often see as the basis for why security professionals and their postulations are mistrusted.  Although there are more guns available, a regression analysis of events shows there is an overall decline in mass murder gun violence between 2006 and 2016 and significantly more of a decline in schools.[1]  This whole conversation diverts us from the analysis of the root cause question: "How do we detect and prevent manifestation of the violent Insider Threat, who may resort to violence regardless of the instrument chosen to implement their actions." 

 

I propose that a better hypothesis would be, "Do more guns equate to an increase in mass murder violence, including and especially at schools?"  Since the answer is, "No," then we should temporarily eliminate this as a root cause and leave it in the contributing factor pile.  Mitigating against contributing factors is a valid option in risk management however, it should be an alternative to an inability to mitigate against the root cause

 

There is a danger here in using Rationalization (Offering an inauthentic excuse for the claim because we know the real reasons are embarrassing to share or harsher than the manufactured ones given).  Using Rationalization to focus on mitigating a contributing factor is how we got to dumping a ridiculous level of password complexity upon users rather than admitting as security professionals were failing to properly protect password databases and authentication systems.  The likely result of mitigating against contributing factors instead of the root cause as a result of Rationalization is in a repeat catastrophic (violent) event using another instrument or approach.

 

I'm sorry @Dain, but the remainder of your facts appear to be more collisions of Questionable Cause leading to Rationalization (the bad kind).  If we are going to continue to use Insider Threat violence as a hypothetical case study, could you please reference the basis for your argument?

 

In response to @DAlexander, I heard/read a National Public Radio article about school violence in America.  From my memory, they stated there are approximately 1300 deaths per year in the United States.  If that statistic is true, then only a minority (possibly the most sensational?) of them appear to be making the news.

 

Sincerely,

 

Eric B.

 

[1] Allie Nicodemo & Lia Petronio, Schools are safer than they were in the 90s, and school shootings are not more common than they used to be, researchers say, Northeastern University News (Feb 26, 2018), Retrieved from, https://news.northeastern.edu/2018/02/26/schools-are-still-one-of-the-safest-places-for-children-res...

 

  

Advocate I

Re: Risk management

 

Dain,

 


@Dain wrote:

Actually, while the % of households with firearms has declined, the number of firearms in the US has  roughly doubled since 1968 - estimated at ~300 million guns in all - 101 guns per 100 people.  As the population has gone up by ~22% I think it would be reasonable to extrapolate that the population of any given selection of "likely shooters"  has probably increased roughly the same amount, even if active shooter ages only represented 10% I would still call that a significant increase.


No, that's not a reasonable extrapolation unless you have the results of studies to back it up.  You have to do the studies and the math.  Has the rate of active shooter incidents increased by 22%, offset by the percentage of households that have declined in overall gun ownership?  Otherwise it's just Wishful Thinking (When the desire for something to be true is used in place of/or as evidence for the truthfulness of the claim).  If we're just making up statistics, it could also be considered Lying with Statistics.