cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
rslade
Influencer II

Risk management

The Lt. Gov. of Texas says school shootings aren't happening because of guns. Instead, he blames:

 - violent video games

Oddly, here in Canada, we have violent video games.  Probably exactly the same ones that they have in the States.  All of my grandchildren have played them.  None of them have shot up their schools, yet.

 - removing religion from schools

I suspect that, here in Canada, we started removing religion from schools earlier than in the States, and have gone farther in that regard.  We still have fewer school shooting funerals.  (Hockey bus crash funerals, yes.)

 - irresponsible gun owners

No doubt some people will be surprised to find that people are allowed to own guns in Canada.  And some of our gun owners are extremely irresponsible.  (We just had a court case of someone who was astoundingly irresponsible in handling a gun.)  I suspect that this gets closer to the heart of the issue, but it still doesn't seem to account for the difference in numbers of school shootings between the US and Canada.

 - too many entrances to schools

Here in Canada we have lots and lots of entrances to our schools.  Very few result in school shootings.

 - unarmed teachers

It was probably a very good thing that I wasn't issued a gun when I was teaching elementary school.  Not that there weren't times that I would have dearly liked to use one.  (Actually, I would have been tempted much more during the times I taught in colleges and universities.  And for ISC2.  [Especially when I had Cisco employees in the seminars.]  But I digress.)


............

Other posts: https://community.isc2.org/t5/forums/recentpostspage/user-id/1324864413

This message may or may not be governed by the terms of
http://www.noticebored.com/html/cisspforumfaq.html#Friday or
https://blogs.securiteam.com/index.php/archives/1468
17 Replies
Dain
Contributor I

good point, the stats I pulled were from various non-partisan gov't sources (and generally were close enough from disparate sources to suggest reasonable expectation of validity) . Were I, say referencing them for a College Paper, I doubt my 10 min of bouncing round the interwebs would count for much.

 

The shooter race stats were LE analysis based on I believe observation of those committing the crime, again probably not exactly 1st level reference material, but it did seem to jive across multiple sources.

 

I also agree that theres no easy solution, much like IT.  A firewall (or bullet proof glass) only protects against certain threats, there needs to be multiple mechanisms to address the full scope of risk

 

now where have I heard that before?

Dain
Contributor I

I was replying specifically to the assertion that the population hasn't changed in 20 years, it definitely has, and in a statistically significant way.

 

Does that affect risk? maybe, maybe not, but the original assertion that the population was the same was incorrect and could not be used for risk analysis in anyway.

 

If i had studies to back up the extrapolation that a 20% overall population increase is likely to translate to a statistically significant increase in a portion of that population I wouldn't need to extrapolate 🙂

 

actually would that be interpolating?

Baechle
Advocate I

Dain,

 


@Dain wrote:

If i had studies to back up the extrapolation that a 20% overall population increase is likely to translate to a statistically significant increase in a portion of that population I wouldn't need to extrapolate 🙂

 

actually would that be interpolating? 

I wasn't arguing semantics about the use of the word extrapolate.  I was saying that extrapolation was an unsound practice given that there are metrics available that tell you (1) how much the population has grown, and (2) how many active shooters there were in prior years, including by age, ethnicity, and gender.  EDIT My apologies - I apparently was saying that your metrics were not extrapolation based upon my understanding.  My understanding of extrapolation assumes that there was an underlying set of metrics that was used, and then an estimate was made where no metrics were available.  In this case, metrics were available, they simply weren't consulted.  So instead, this was more like a "WAG" than an extrapolation.  /EDIT

 

In fact, I think you would be hard pressed to find a study that proves your example.  The population has increased, but the number of shooters has more or less stayed steady, if not declined.[1]  The end result is a trend pointing to an overall decline in the percentage of shooters compared to the population.

 

EDIT Specifically Throughout this conversation,  I was hypothesizing a link between the process of extrapolation the WAG of risk metrics by security professionals and the very reason that there is an apparent issue with security professionals risk metric input being disregarded by organizational leaders.  I propose that extrapolation WAGs are overused, potentially widely abused as being substitutes for extrapolation, and often way off an accurate estimate.  /EDIT

 

I was replying specifically to the assertion that the population hasn't changed in 20 years, it definitely has, and in a statistically significant way. 


Yes.  That is supported by research.[2]

 


Does that affect risk? maybe, maybe not, but the original assertion that the population was the same was incorrect and could not be used for risk analysis in anyway.

 


I concur.  That was a false premise.

 

Sincerely,

 

Eric B.

 

[1] Sandra L. Colby & Jennifer M. Ortman, Projections of the Size and Composition of

the U.S. Population: 2014 to 2060, United States Census Bureau 2 (Mar 2014), Retrieved from https://www.census.gov/content/dam/Census/library/publications/2015/demo/p25-1143.pdf; Emma Fridel, A Multivariate Comparison of Family, Felony, and Public Mass Murders in the United States, Northeastern University (Nov 8, 2017) Retrieved from, http://journals.sagepub.com/doi/abs/10.1177/0886260517739286.

 

[2] Colby & Ortman Supra note 1.

 

Dain
Contributor I

I think your point on misunderstanding (was it your point?) is getting proven well in this thread.

 

I wasn't actually pointing to the population of --> active shooters <-- increasing based on population, I was suggesting a potentially reasonable correlation between overall population increase and the (possibly) reasonable assumption that a 20% population increase would also show a statistically relevant increase in the population of individuals representative of "at risk of becoming active shooters" (e.g. for the sake of argument lets say statistically 98% that group is 14-20 year old males

 

Might be worthwhile to start a new thread with your thoughts on the issues that exist in InfoSec communicating risk to the business, where hard numbers are required (and available*)  I would definitely be interested in reading it w/o the, err, overhead / confusion of relating specifics here back to the original thread and various points we've all made.   I seem to be doing a pretty poor job of getting my points across with reference to the original thoughts, based on some of the replies.  I was looking at this much more as a discussion on the specific points of Robs original post, while your take seems to be much more holistic (I think someone else pointed out this discrepancy as well, may well have been you)

 

* While I do agree with you that hard numbers and trusted source data (we all have to agree e.g. on source validity) as well as an agreed upon std for vulnerability criticality (cvss for instance) and asset value is a must in any business minded risk analysis, I also believe that we are still very much in the infancy of being able to build reliable "infosec actuary tables" which to some degree necessitates reasonable interpolation and extrapolation of existing data sets, as well as accepting some items as simple reality (if you don't practice at least a baseline level of good security you will be compromised in some way seems like a given)

 

 

/d

Baechle
Advocate I

Dain,

 


@Dain wrote:

I think your point on misunderstanding (was it your point?) is getting proven well in this thread.

 


Yes, that was one of my points.  

 


Might be worthwhile to start a new thread with your thoughts on the issues that exist in InfoSec communicating risk to the business, where hard numbers are required (and available*)  I would definitely be interested in reading it w/o the, err, overhead / confusion of relating specifics here back to the original thread and various points we've all made.  

We may be able to do that down the road.  I believe that the emotional impact of the "school shooter" theme in this conversation is wearing off, and we're starting to reach a point where we're having a worthwhile and reasonable talk about this - in the context of Violent Insider Threat Risk Management.

 

I believe that this conversation is very difficult to have, precisely because it's emotionally charged (people that want guns, people that want gun control, etc.) and that detracts from the underlying professional conversation.  In my personal opinion, I think we are doing a good job at having (or at least starting to have) a difficult conversation.  I don't think we should run away or turn our backs on that.  It's precisely this exercise, having a professional debate around a (emotionally, not technically) difficult topic, that is a skill we all need to continue to develop.

 

EDIT

 


I wasn't actually pointing to the population of --> active shooters <-- increasing based on population, I was suggesting a potentially reasonable correlation between overall population increase and the (possibly) reasonable assumption that a 20% population increase would also show a statistically relevant increase in the population of individuals representative of "at risk of becoming active shooters" (e.g. for the sake of argument lets say statistically 98% that group is 14-20 year old males

 


Ok.  It's one of those days.  I forgot to address this component.  This argument is a self-fulfilling prophecy.  More people are at risk of potentially becoming active shooters because there are more people - is not falsifiable, in other words, not testable.  If we were to remove the potentially and change this hypothesis to be, In an increasing population, more white males aged 14-20 are at risk of becoming active shooters - we can actually test this. 

 

We can go back and look at the factors that led the cohort of white males aged 14-20 who were active shooters and evaluate what contributed to their decision to become violent.  Then we can take those factors and look for them in a statistical cross section over a few years of all white males aged 14-20 to see if those factors increased or decreased in correlation with the number of shooters in that group.  If these factors did in fact correlate, then we can state that these are tentatively relevant risk factors.  Finally, we can develop detective measures that then look for those risk factors.

 

The problem that I see, is that folks in the media are relying up rhetoric and speculation rather than actually conducting this and similar studies.  The list of causes in @rslade's original post appeared to me to be an example of how we reach bad conclusions, and thus risk management decisions.  I was merely extending his original thought of how we might be able to turn that around - and drawing similarities for where this causes problems in other risk management scenarios.

 

/EDIT

 


I was looking at this much more as a discussion on the specific points of Robs original post, while your take seems to be much more holistic (I think someone else pointed out this discrepancy as well, may well have been you)

 


We are currently standing on the precipice of a cultural shift in how Insider Threats are detected and managed; and like it or not a hearty sum of that burden is being thrown at IT Security professionals.  Insider Threat detection and mitigation has existed for as long as people have gathered together in organization.  In modern times, it has rested in corporate and nation-state Counterintelligence functions until there was laser tight media focus on the exfiltration and destruction of electronic data.  Practically overnight it became an IT Security problem, when before IT Security was simply one input to the overall Insider Threat strategy.

 

 

So, like it or not protecting a school from a shooter is at least partially an Information Technology Security Risk Management discussion.  If not, then IT Security Pros should be ready to defend why it's not.  If we're willing to accept that it is, then IT Security Pros should be skilled at having this emotionally charged conversation diplomatically and be ready to dive into the risk metrics rather than WAG.

 

In My Humble Opinion...  😄

 

Sincerely,

 

Eric B.

Dain
Contributor I


@Baechle wrote:

 


We are currently standing on the precipice of a cultural shift in how Insider Threats are detected and managed; and like it or not a hearty sum of that burden is being thrown at IT Security professionals.  Insider Threat detection and mitigation has existed for as long as people have gathered together in organization.  In modern times, it has rested in corporate and nation-state Counterintelligence functions until there was laser tight media focus on the exfiltration and destruction of electronic data.  Practically overnight it became an IT Security problem, when before IT Security was simply one input to the overall Insider Threat strategy.

 

 

So, like it or not protecting a school from a shooter is at least partially an Information Technology Security Risk Management discussion.  If not, then IT Security Pros should be ready to defend why it's not.  If we're willing to accept that it is, then IT Security Pros should be skilled at having this emotionally charged conversation diplomatically and be ready to dive into the risk metrics rather than WAG.

 


100% agreed - I think its extremely relevant based not only on the need for good data, but the lack of testable data as it relates to a specific risk factor / vulnerability.  

 

I'll also happily concede the emotional piece, with 4/5 of my immediate family at a school everyday I get skittish when pundits on either side posit ridiculous tripe as root cause etc. (to Robs original post) the capability to rationally carefully discuss, is in this instance, something I could easily have worked harder at. (doesn't help that my usual communication style has been described nicely as blunt)

 

I was responding more from a perspective of "what could possibly be reasonable risk factors?"  preferably ones that could be addressed in some way.

 

Much like may InfoSec risk and vulnerability issues I think there comes a time (namely when we get into psychology) where its next to impossible to build a true scientific data set as we simply don't have the control groups, or the ability to demonstrably isolate individual contributing factors, let alone tangential factors which may decrease or increase the risk of an "at risk individual" becoming a "perpetrator"

 

For instance we can easily prove/disprove the supposition that a 20% increase in overall population indicates a statistically significant increase in "at risk active shooter groups" (and could likely determine with fair accuracy what said increase is with a reasonable, experiential definition of said group) . However what we can't do scientifically is test the reasonable causative factors to determine which one is most likely to move an individual from "at risk" to "active shooter".  Thus the response becomes more of an effort at minimizing the risk any way possible, based on the overal impact of the situation.

 

I really do hate the UI, replying in email with simple cut and paste would be so much quicker, the small box and all or nothing quoting makes this take so much more time (tho mouse vs trackpad is still easier)

 

 

Baechle
Advocate I

Dain,

 

Let’s start here.

 

  • Much like may InfoSec risk and vulnerability issues I think there comes a time (namely when we get into psychology) where its next to impossible to build a true scientific data set as we simply don't have the control groups, or the ability to demonstrably isolate individual contributing factors, let alone tangential factors which may decrease or increase the risk of an "at risk individual" becoming a "perpetrator"

 

I respectfully disagree that it’s nearly impossible to build a true scientific data set.  I will say that not many people are actually going out and building that data set.  Academically, the disciplines of psychology, sociology, and criminology are still very fractured and appear to just be crawling out of the pit of arguing over if either Jung or Freud was right.  This is opposed to admitting that there may be several different contributing factors relevant and applicable only to each individual case, and not to others. 

 

And then, Information Technology as a research discipline as opposed to an engineering discipline seems just taken its first yawning stretch of the morning.  I only know of one ongoing study of Insider Threat within the technology world, by Doctoral Candidate Jan Buitron (@jbuitron) (sorry for tagging you here if it was a distraction, but I wanted to give you props for tackling this topic).

 

I will respectfully agree and amplify that we currently don’t have an effective ability to isolate individual contributing factors that indicate elevated risk.  As a society, it is my personal observation that we are willing to sit back and let media, superstition, and bias establish those factors instead of admitting to ourselves that we haven’t collected the data yet.

 

I still have a problem with the foundation of your hypothesis.  It assumes that the risk factors (which we don’t know) are directly linked to the size of the population rather than fluctuate based on some other conditions (which we haven’t bothered to figure out yet).  I believe this is formally called a Regression Fallacy.  You can make every argument from it including the opposite to your position.  (a) With more people, there are more people in the world who are not at risk of becoming violent. (b) With more people, there are more people at risk of spontaneously turning into carrots.  (c) With more people, there are more people at risk of making more people, and therefore potentially more carrots. (d) etc.

 

Care to take another stab at forming a hypothesis?

 

Sincerely,

 

Eric B.

jbuitron
Contributor I

Hi Eric,

Apologies for the late (belated reply). No need to apologize for tagging my studies in the Insider Risk\Insider Threat. I DID finish in June of 2018.

 

Then, life not only threw rocks in my way, it threw boulders. Boulders like to the 1000-plus homes burned to the ground in the cities of Superior and Louisville on 12-30-2021. I have still yet to publish my dissertation. 

 

Keep up the creative thought, and work,

 

Best to you in all things,

Dr. Jan Shuyler Buitron

Doctorate of Computer Science in Cybersecurity, minor in Management

Master of Science in Cybersecurity

CISSP, MCSE, ITIL v2, v3

 

Senior Cybersecurity Systems Engineer\Lead)