Simple Risk Model (Part 3 of 5): Simulate Loss Magnitude

December 22, 2010

Part 1 – Simulate Loss Frequency Method 1
Part 2 – Simulate Loss Frequency Method 2

In parts one and two of this series we looked at two methods for simulating loss frequency. Method one – while useful – has shortcomings as it primarily requires working with expected loss frequency values less then 1 (once per year). In addition, with method one, it was not possible to determine iterations where loss frequency could be greater then once per year.

Method two overcame these limitations. We leveraged the Poisson probability distribution (discrete distribution) as well as an expected loss frequency value and a random value between 0 and 1 to return a loss value (an integer) for any given iteration. Using this method – about 10% of our iterations resulted in loss events and some of those iterations had multiple loss events. From my perspective method two is the more useful of the two – especially since it has the potential to account for low probability situations where there could be numerous loss events for any simulation iteration.

The purpose of this post is to simulate loss magnitude. Conceptually, we are going to do what we did with loss frequency method two – but our distribution and input parameters will differ. To simulate loss magnitude we need four things:

1.    A continuous probability distribution.
2.    A random value between 0 and 1
3.    An expected or average loss magnitude
4.    A loss magnitude standard deviation

Continuous Probability Distribution. Technically, if you have internal or external loss magnitude data, you would analyze that data and fit the data to an appropriate continuous probability distribution. There are dozens of such distributions. There are often times where we have limited data or we need to make good faith (or “educated”) assumptions about the shape of our loss magnitude curve. A lot of IT risk scenarios loss magnitude curves are often assumed to be normal or lognormal in nature. Normal is often assumed but it has its limitations since there can be negative values and rarely is there a “perfect” normal loss magnitude curve for IT risk scenarios. However, most of the “normal-like” distributions converge to normal (as data points increase). Thus, for the purposes of demonstration I am going to use the normal distribution.

Random Value Between 0 and 1. Because we are dealing with uncertainty and a distribution, we will use random values between 0 and 1 in our probability distribution; think Excel function RAND().

Expected or Average Loss Magnitude. Statistics 101 – If you take the sum of X values and divide by X you get the average. Quantitative risk analysis methodologies like FAIR can facilitate deriving an average loss magnitude estimate. Or maybe, you have actual loss magnitude data points. How you derive average loss magnitude is not the focus of this post – just remember that to use the normal distribution you need that average loss magnitude value.

Loss Magnitude Standard Deviation. More Statistics 101. At a high level, standard deviation is a statistic or measure of how spread out our data points are relative to the mean. The larger the number, the greater or flatter our distribution (think bell curve) will be; the smaller the number – the more narrow the bell curve will be. In the interest of brevity, it is assumed that either you can use existing Excel functions to calculate a standard deviation from your loss magnitude data points, or your risk analysis tool sets will provide this value to you. In some cases you may not have actual data sets to calculate a standard deviation let alone an average magnitude value – in those cases we have to make our best estimates and document assumptions accordingly.

How do these work together? In layman’s terms – given a normal loss distribution with an average loss magnitude of $5000 and a standard deviation of $1000; what is the loss value (inverse cumulative value) at any point in the distribution, given a random probability value?

You may want to download this Excel spreadsheet to reference for the rest of the post (it should work in Excel 2003, Excel 2007 and Excel 2010; I have not tested it on Office for Mac). Reference tab “magnitude” and make sure you view it in Excel and NOT in Google Apps.


a.    The average loss magnitude amount is $5000 (cell B1; tab “magnitude”)

b.    The loss magnitude standard deviation is $1000 (cell B2; tab “magnitude”)

c.    For purposes of demonstration, we will number some cells to reflect the number of iterations (A9:A1008; A9=1; A10=A9+1; drag A10 down to you get to 1000).

d.    In Excel, we would use the =RAND() function to generate the random values in cells B9:B1008.

e.    Now, in column C beginning in cell C9 – we are going to combine a Normal probability distribution with our average loss ($B$1), standard deviation ($B$2) and the random value(s) in column B to return a loss value. In other words, given a normal distribution with mean $5000 and standard deviation of $1000 – what is the value of that distribution given a random value between 0 and 1 – rounded to the nearest 10th? You would type the following in C9 and then drag C9 down to C1008:
=ROUND(MAX(NORMINV(B9,$B$1,$B$2),0),-1)

Let’s dissect this formula.

i.    ROUND. I am going to round the output of this formula to the nearest 10; annotated by the -1.
ii.    MAX. Because we are using the normal distribution and because some values could be less then zero which is not applicable for most IT scenarios, we are going to compare the value generated by the NORMINV function to 0. Which ever is larger is the value that then gets rounded to nearest 10.
iii.    NORMINV. This is the function built into Excel that returns an inverse cumulative value of a normal distribution given a probability, a mean and a standard deviation.

f.    Once you have values in all the cells – hit F9 a few times.

g.    Cell B3 gives the minimum loss value from cells C9 through C1008. The random value associated with the minimum value is probably less then 0.00xxxx.

h.    Cell B4 gives the maximum loss value from cells C9 through C1008. The random value associated with the maximum value is probably greater then 0.99xxxx.

i.    The histogram shows the count of iterations whose loss magnitude values falls within a loss magnitude bin. If you drew a line around the tops of each column it would resemble a bell curve. We expect to get this since we are using the normal distribution.

j.    Press the F9 key; new random values will be generated. Every time you press F9 think of it as a new simulation with 1000 iterations. Press F9 lots of times and you will notice that the histogram changes as well. While individual bin counts will change – the general shape of the histogram does not.

k.    By the way, if you change the average loss magnitude value in cell B1 – the histogram will probably break. But you can change the value in B2 to 500, hit F9 a few times and observer how the bell-curve shape becomes more narrow. Or, change B2 to 2000 and you will see a much flatter bell curve.

KEY TAKE-AWAY(S)

1.    As we did with simulating loss frequency, we leverage randomness to simulate loss magnitude.

2.    While we typically talk about an average loss magnitude value; losses can range in terms of magnitude. Being able to work within a range of loss values gives us a more complete view of our loss potential.

In part four of the series, we will combine loss frequency and loss magnitude into one simulation. For every iteration, we will randomly derive a loss frequency value (an integer) and a loss magnitude value. We will then calculate an expected loss, which is the product of the loss frequency and the loss magnitude values. Perform this cycle thousands or millions of time and you now have an expected loss distribution.

Leave a Comment » | Risk, Risk Modeling | Tagged: , , , , | Permalink
Posted by Chris Hayes

Simple Risk Model (Part 2 of 5): Simulate Loss Frequency #2

November 1, 2010

Part 1

In part one of this series we looked at how we can simulate loss frequency for values less then 1 (less then one occurrence per year). We generated a random value, compared it to 0.1000, and counted the number of times our random number was less then 0.1000. In some simulations the percentage of loss was less then or greater then 0.1000. As you will recall there are a couple of note-worthy shortcomings with the method outlined in part 1:

1.    If the expected loss frequency is greater then 1 then using RAND() is not viable, because RAND() only generates values between 0 and 1.

2.    In iterations where you had a loss event; method one does not reflect the actual number of loss events for that iteration. In reality, there could be some iterations (or years) where you have more then one loss event.

The focus of this post is too cover a method that is probably more appropriate for modeling information technology risk as it pertains to loss frequency and overcomes the limitations listed above.

For this method we need three things:

1.    A probability distribution; preferably a discreet probability distribution; we’ll go with Poisson. Why poisson? (UMASS, VOSE)

a.    In the binomial process, there are n discrete opportunities for an event (a ‘success’) to occur. In the Poisson process, there is a continuous and constant opportunity for an event to occur.
b.    The event is something that can be counted in whole numbers; (no such thing as a partial loss event)
c.    Loss events are independent, so that one occurrence neither diminishes nor increases the chance of another; (assumption in a lot of IT risk scenarios).
d.    The average frequency of occurrence for the time period in question is known (in our case, could be based off evidence or subject matter estimates)

2.    An expected loss frequency; like the first method, the expected loss frequency is 0.1000; or once every ten years we expect a loss event.
3.    A random value. We will use Excel’s random number generator to generate a random value between 0 and 1.

How do these work together? In layman’s terms – given an expected loss frequency (0.1000) that is Poisson in nature – what is the integer or number of loss events (inverse cumulative value), given a probability (random value)?

You may want to download this Excel spreadsheet to reference for the rest of the post (it should work in Excel 2003, Excel 2007 and Excel 2010; I have not tested it on Office for Mac). Reference tab “loss 2”

Make sure you view it in Excel and NOT Google Apps.

a.    The stated expected loss frequency is 0.1000 (cell B1; tab “loss 2”)

b.    For purposes of demonstration, we will number some cells to reflect the number of iterations (A9:A1008; A9=1; A10=A9+1; drag A10 down to you get to 1000).

c.    In Excel, we would use the =RAND() function to generate the random values in cells B9:B1008.

d.    Now, in column C beginning in cell C9 – we are going to combine a Poisson probability distribution with our expected loss frequency and the random value(s) in column B to return an integer that is the number of loss events for that iteration. You would type the following in C9 and then drag C9 down to C1008:
=poisinv1(B9,$B$1)

i.    Poisinv1 is a function to return the inverse cumulative value for a poisson random value. I used the SimTools VBA code to generate this value. In addition, this approach negates the need for you to have to install the SimTools Excel add-on.
ii.    B9 is the random value we generated in step c.
iii.    $B$1 is the expected loss frequency declared in step a.

e.    Once you have values in all the cells, you can now look at how many iterations resulted in a loss and how many did not. Cell B2 counts the number of iterations you had a loss and cell B3 counts the number of iterations you did not have a simulated loss; their corresponding percentages are next to each other.

f.    Cell B4 sums up the number of actual loss events for all 1000 iterations. You will notice that more then likely, the value in B4 is greater then the value in B2. This is the result of using the poisson probability distribution – there were some iterations where there was more then one loss event.

g.    Take a look at cell B5 – the number in this cell is the maximum number of loss events for across our iterations. Given our input parameters – it will most likely be 2, maybe 3.

h.    The pie chart shows the percentage and count for iterations that resulted in loss versus those that did not.

i.    Press the F9 key; new random values will be generated. Every time you press F9 think of it as a new simulation with 1000 iterations. Press F9 lots of times and you will notice that in some simulations loss events occur greater then 10% of the time and in some simulations less then 10% of the time.

j.    Like the first loss frequency simulation method, what you are observing is the effect of randomness. Over a large number of iterations and/or simulations we would expect the loss frequency to converge to 10%.

KEY TAKE-AWAYS

1.    This method overcomes the shortcomings of the first method in that we can simulate the number loss events regardless of the expected loss frequency value and this method results in a few iterations where there was more then one loss event.

2.    Given the stated input parameters and for those iterations where there was more then one loss event – look at the random value to the left of that cell (column B). More then likely the random value is 0.99xxxx. The higher the random value – the larger the returned integer will be. We often hear of “tail risk”. This method can help us better understand the “tail” of a risk distribution if we were to simulate a loss magnitude for every instance of a loss event.

In part three of this series we will look at simulating loss magnitude using randomness combined with an average loss amount and a standard deviation.

In part four we will combine simulated loss frequency and simulated loss magnitude into a single function.

Part five will be a wrap up.

2 Comments | Risk Modeling | Tagged: , , | Permalink
Posted by Chris Hayes

Simple Risk Model (Part 1 of 5): Simulate Loss Frequency #1

October 25, 2010

Let’s start this series by defining risk. I am going to use the FAIR definition of risk which is: the probable frequency and probable magnitude of future loss. From a modeling perspective, I need at least two variables to model the risk for any given risk issue: a loss frequency variable and a loss magnitude variable. Hopefully, you are using a risk analysis methodology that deconstructs risk into these two variables…

The examples I am sharing in this blog series are an example of stochastic modeling. The use of random values as an input to a probability distribution ensures there is variation in the output; thus making it stochastic. The variable output allows for analysis through many different lenses; especially when there are additional (meaningful) attributes associated with any given risk issue (policy section, business unit, risk type, etc…).

Part 1 and 2 of this series will focus on “probable or expected [loss] frequency”. Frequency implies a number of occurrences over a given period of time. Loss events are discrete in nature; there are no “partial” loss events. So, when we see probable loss frequency values like 0.10 or 0.25 – and our time period is a year – we interpret that to mean that there is a 10% or 25% chance of a loss event in any given year. Another way of thinking about it is in terms of time; we expect a loss event once every ten years (0.10) or once every four years (0.25). Make sense?

You may want to download this Excel spreadsheet to reference for the rest of the post (it should work in Excel 2003, Excel 2007 and Excel 2010; I have not tested it on Office for Mac).

Make sure you view it in Excel and NOT Google Apps.

In a simulation, how would we randomly draw loss frequency values for a risk issue whose expected loss frequency is 0.10, or once every ten years? I will share two ways; the first of which is the remainder of this post.

For any simulation iteration, we would generate a random value between 0 and 1; and compare the result to the expected loss value

a.    The stated expected loss frequency is 0.10 (cell B1; tab “loss 1”)

b.    For purposes of demonstration, we will number some cells to reflect the number of iterations (A6:A1005; A6=1; A7=A6+1; drag A7 down to you get to 1000).

c.    In Excel, we would use the =RAND() function to generate the random values in cells B6:B1005.

d.    We would then compare the randomly generated value to the expected loss frequency value in cell B1; with this code in C6 dragged down to C1005:

=IF(B6<=$B$1,1,0)

i.    If the generated random value in cell B6 is equal to or less then 0.1000 (cell B1), then the number of loss events for that iteration is 1.
ii.    If the generated random value in B6 is greater then 0.1000, then the number of loss events for that iteration is 0

e.    Once you have values in all the cells, you can now look at how many iterations resulted in a loss and how many did not. Cell B2 counts the number of iterations you had a loss and cell B3 counts the number of iterations you did not have a simulated loss; their corresponding percentages are next to each other.

f.    The pie chart shows the percentage and count for each loss versus no loss.

g.    Press the F9 key; new random values will be generated. Every time you press F9 think of it as a new simulation with 1000 iterations. Press F9 lots of times and you will notice that in some simulations loss events occur greater then 10% of the time and in some simulations less then 10% of the time.

h.    What you are observing is the effect of randomness. Over a large number of iterations and/or simulations we would expect the loss frequency to converge to 10%.

i.    Another thing worth mentioning, is that output from the RAND() function is uniform in nature. Thus, there is equal probability of all values between 0 and 1 being drawn for any given iteration.

j.    Since our expected loss frequency is 0.1000 and the RAND() functions output is uniform in nature – we would expect to see 10% of our iterations result in loss; some were more and some were less.

There are some limitations with this method for simulating the loss frequency portion of our risk model:

1.    If the expected loss frequency is greater then 1 then using RAND() is not viable, because RAND() only generates values between 0 and 1.

2.    In iterations where you had a loss event; this method does not reflect the actual number of loss events for that iteration. In reality, there could be some iterations (or years) where you have more then one loss event.

Some of the first models I built used this approach for generating loss frequency values. There is usefulness regardless of its simplicity. However, there are other methods to simulate loss frequency that are more appropriate for modeling and overcome the limitations listed above. In the next post, we will use random values, a discreet probability distribution and the expected loss frequency value to randomly generate loss frequency values.

NOTES / DISCLAIMERS: I am intentionally over-simplifying these modeling examples for a few reasons:
1.    To demonstrate that IT Risk modeling is achievable; even to someone that is not an actuarial or modeling professional.
2.    To give a glimpse of the larger forest past some of the trees blocking our view within the information risk management profession.
3.    As with any model – simple or complex – there is diligence involved to ensure that the right probability distributions and calculations are being used; reflective of the data being modeled.
4.    In cases where assumptions are being made in a model; they would be documented.

2 Comments | Information Security, Risk, Risk Modeling | Tagged: , , , , | Permalink
Posted by Chris Hayes

Useful Risk Modeling / Simulation Excel Add-Ons

October 18, 2010

I have had a lot of “modeling” and simulation conversations over the last several months. One common strand of these discussions is around Excel add-ons used to perform simulations and analysis. I want to share with you a few thoughts as well as some of the add-ons I use.

THOUGHTS

1.    Add-ons are great and they can make a lot of aspects of simulation and analysis “easy”. However, I would argue that you still need to understand “the why” and “the how” of features and functionality of the add-on to ensure you are using the add-on correctly. One of my modeling mentors discourages extensive use of “fancy” add-ons – he prefers plain vanilla Excel. He prefers native Excel because most of the add-ons are not worth the money. He has also suggested that if you are forced to write your own calculations and create your own model / charts, it forces you to learn the trade – especially the probability theory and statistics. There is truth in what he says but one has to balance time with learning.

2.    Generally speaking, most of what you need for Monte Carlo simulations is already in Excel. So, if you have the input parameters you need, know the right distribution to reference, and have some little to moderate VBA skills – you can begin to conquer the world.

3.    Add-on documentation. Any add-on or 3rd party plug-in should have ample documentation. In cases where the add-on includes its own probability distributions – understand why you would use one tool’s probability distribution implementation over any other.

TOOLS

1.    Microsoft Excel. At a minimum you want to use Excel 2007 – just to get around some of the row and column limitations of previous versions of Excel. Do not use versions of Excel prior to Excel 2003 as the random number generator was flawed. With Excel 2010, Microsoft included a new random number generator algorithm called Mersenne Twister. I won’t bore you with the details – just understand that it is a good thing and reduces the need for yet another Excel plug-in or 3rd party tool.

2.    SimTools. This is a recent find for me and it is FREE. The primary reason I like this add-in is for its broad implementation of inverse cumulative-probability functions that Excel 2007 does not have. Another reason I like this add-on is that the SimTool VBA code can be found here; just in case you need to validate calculations that are occurring or if your work is being audited / challenged.

3.    Simulacion. I was originally turned onto this add-on by my modeling mentor and it’s free as well; though there is a shortage of documentation. Some of the useful features are: distribution fitting and correlation capabilities. I do not use this add-on very much – but the distribution fitting capability alone makes it worth having.

4.    RiskAmp. I was introduced to RiskAmp via Risk Management Insight (RMI). Some of RMI’s tools leverage (require) the RiskAmp add-on. RiskAmp includes a few continuous probability distributions not included in Excel. One specifically is the betaPERT distribution. RiskAmp’s implementation of betaPERT allows for a fourth parameter called lamda which determines the height of the distribution. For what its worth, Oracle’s CrystalBall betaPert implementation does not allow for lamda. So, if betaPERT is a big deal in your analysis / simulations and you don’t need other flash-whiz-bang functionality out of Oracle ChrystalBall – save yourself over a $1000 dollars and purchase a copy of RiskAmp. One more thing on RiskAmp – I cannot prove it yet – but I think there are some memory sharing issues with their code. If you have multiple spreadsheets of which you are using RiskAmp for simulations – the speed of any one simulation is painfully slow.

5.    Mersenne Twister (MT) pseudorandom number generator. The nice folks at Structured Data (makers of RiskAmp) were nice enough to make a MT pseudorandom number generator add-on available for FREE. I have used this add-on in both Excel 2003 and Excel 2007. There is no need for it if you are using Excel 2010 – since Microsoft implemented the MT algorithm in its RAND() function.

6.    XLSim. This is a nifty Monte Carlo simulator that has a bunch of goodies in it that make it worth the couple of hundred dollars. There is a lot of flexibility with the chart output and the simulation menus are very intuitive. XLSim also includes the ability to store simulation results via the DIST standard. I will limit discussion of DIST for this post – but there are quite a few vendors that have already accommodated their software to create and/or work with DIST files.

7.    MegaStat. MegaStat came with one of my decision science textbooks while taking some courses at the Fisher College of Business; The Ohio State University. There is a great correlation matrix generator, the descriptive statistics functionality is great, and there are some other useful functions. While you can definitely find MegaStat for free on the Internet – consider buying a textbook from the creator of MegaStat, Professor J.B. Orris; Butler University. It’s ethically the right thing to do and it’s a small price to pay for a great utility!

8.    XY Chart Labler. This FREE Excel add-on has nothing to do with statistics or probability distributions. I use this add-on to add labels to data points for some charts. Does not sound like much but the functionality makes up for a shortcoming in Excel.

That’s it for now. Feel free to leave comments; especially if you have a really useful add-on or tool that you have used. I will mark as SPAM any comments that I feel are purely product pitches – with no substantive, experience based content.

2 Comments | Risk | Tagged: , , | Permalink
Posted by Chris Hayes

ANALYTICAL THINKING or F.U.D?

August 28, 2010

Image Source; fudsec.com

SHORT BLOG POST VERSION:
I get a lot of satisfaction from teaching others the FAIR methodology. But equally satisfying is me knowing that I am helping build a culture of analytical thinking for both the class participant and our employer.

LONG BLOG POST VERSION:
This past week I had the privilege of teaching a three-day BASIC FAIR course at my employer. This is the second FAIR course I have taught and I can honestly state that I learned a lot about my company and the course participants; most of which I will be interacting with in the coming months in a consulting capacity.

Teaching the FAIR methodology is very challenging and rewarding. Because people’s preconceived notions of risk are challenged within minutes of being introduced to FAIR – there is no shortage of AH-HAH moments for them as well as no shortage of the instructor being stretched to unimaginable limits to take their examples and questions and view them through the lens of FAIR. I have walked away from both classes feeling like I learned more then they did.

I am currently reading “The Flaw of Averages” by Sam L. Savage. I highly recommend this book for a seasoned information risk practitioner. I will probably reference the book may times in future posts but for this post I want to talk about a sentence or two from Chapter 11; page 85 (hardcover). Savage references Well Fargo in 1997 and how they ‘maintained a culture of analytical thinking’.

So ask yourself this: Does my information risk management program instill a culture of analytical thinking or one of F.U.D. (Fear, Uncertainty & Doubt)?

The FAIR methodology when used correctly will force the practitioner to be analytical. But for an entire information risk management program to require all of its members to go through this training is telling of the culture we are creating. And guess what? This analytical thinking is not limited to our information risk management program. Our practitioners have to be able to explain their risk analysis to those individuals (IT & Business) accountable for the risk and responsible for the mitigation activity.

In summary, I get a lot of satisfaction from teaching others the FAIR methodology. But equally satisfying is me knowing that I am helping build a culture of analytical thinking for both the class participant and our employer.

Leave a Comment » | Risk | Tagged: , , , , | Permalink
Posted by Chris Hayes

Standing On The Shoulders Of Giants (SOTSOG): My Parents

June 23, 2010

INFORMATION SECURITY PROFESSION TRAITS: TENACIOUS & FAITHFUL

This post is about my parents. My parents have been married for about 40 years and everyone in our family (parents, sister and I) still talks to one another!

My Dad is a Baptist minister; has been since I was like three years old or something. My mom currently works in the healthcare industry, but growing up she was a full-time Mom and as we got older she had some administrative jobs. People underestimate the demands placed upon ministers and their families. They get a lot of satisfaction from their profession. They give more then they earn- let alone take. Our family did not have excess but we were not poor either; the word optimal comes to mind.

TENACIOUS (Merriam Webster definition / synonyms)
My parents adhere to a way of life that was not always easy to understand growing up. I respect my parents for their resolve and desire to guard me (often against my desires) from situations that could have had undesirable consequences. However, I still managed to get myself in trouble on occasion. I would laugh when being corrected, once in awhile I made remarks that were not polite, I cut a girl’s hair “tail” off in the 6th grade, I liked flirting with girls- normal stuff…right?

Spanking – both in the home and in schools – was still a norm in the small town I spent the majority of my childhood in. Yep, I got spanked once in awhile – and to the best of my knowledge I deserved every one of them. I preferred the hand or a ping pong paddle instead of a wooden spoon or a real paddle. I also learned at some point that attempting to run away from or move in the paddling process could result in misplacement of the object striking me. Deep down inside I know my parents did not enjoy punishing me – they would probably never verbally admit they received some satisfaction from it – but if they ever read this – I bet you they would start to crack a smile…

Even though I do not share *all* of their political, social, or spiritual views – I respect – and even admire – them for their tenaciousness.

So how does this pertain to information security or risk management? From my perspective, it is not always easy to be in this profession. Between technology changes, doubters, binary IT mindsets, shortage of data sets, the nature of our work and a slew of other things – it is easy to become frustrated with our profession and leave. Our profession is not a one, two or three year stroll in the park that should reward folks with extra money because they passed the CISSP exam or know a list of acronyms. We are in a journey within a profession that is still evolving and that is slowly but surely integrating itself within business management. To that end is where I think tenacity comes into play.

FAITHFUL (Merriam Webster definition / synonyms)

When I reflect back on the first 18 years of my life – my parents are usually the first thought that comes to mind when I think about faithfulness.  With my Dad being a minister, I grew up seeing first hand how he and my mother served the church(s) he ministered to. The word ‘served’ is probably not an adequate word to describe his and her commitment to a group of people of which they would drop pretty much anything they were doing to be there in someone’s time of need – regardless of the circumstances.

So how does this pertain to information security or risk management? Well, there is a lot of randomness associated with the nature of our profession. We have very little control over externally initiated security incidents or even incidents that occur internally – no matter how awesome or weak our risk management programs are. Thus, we have to be there to deal with incidents and issues; 24×7. Faithfulness is applicable in many aspects of our lives; our personal relationships, our professional relationships, our employer, our profession and the list goes on. There are lots of times where we as information security professionals are not popular with the teams we are helping or non-information security people leaders in general. This is where faith comes into play. If you first stick to the principles of our profession and not get wrapped up in the emotions of others objections to what we are here to do – you will probably prevail.

The next SOTSOG post will be about the United States Marine Corps – feel free to drop down and give them 20, plus one for those currently getting shot at – just because!

Note: I started this post on 5/30/2010. A lot of things have happened since then that make me appreciate my parents even more. My Dad was having some chest pains and after a heart catheterization found out he had a 95% blocked artery in his heart; he had a stent put in the same day. Two days later he and my Mom made an emergency flight to Hilton Head to drive two of our relatives back to Ohio; one of which who had been admitted to the emergency room because of a blocked bowel. Yet another example of unselfish faithfulness.

Leave a Comment » | Uncategorized | Permalink
Posted by Chris Hayes

Risktical Blog Series: SOTSOG

May 28, 2010

Recently in the information security web 2.0 circles there has been some buzz about “breaking” into the industry, what does career goodness look like, etc. This has prompted me to think about my journey to date; and I would like to write a series titled “Standing On The Shoulders Of Giants” (SOTSOG).

The first few posts in the series may have little to do with risk management since they date back to my childhood and Marine Corps days. However, it would be negligent of me not to reference some people or things dear to me from those days since it established the foundation from which I have been built upon.

For each post, I will make a point to highlight the one or two qualities from that particular “giant” that I think applies to the information risk management professional. And just in case I forget to write the following points in my posts let me take the opportunity to do it now:

1. YOU are responsible for YOUR career (period).
2. YOU cannot control EVERY aspect of YOUR career.
3. However, YOU are responsible for how YOU deal with the things YOU cannot CONTROL
4. Its OK to admit YOU don’t know something
5. The advice I give to kids going into boot camp or learning something brand new: KEEP YOUR EYES AND EARS OPEN and YOUR MOUTH SHUT!

I hope you will enjoy the series. I will try not to expose too much of the gooey center inside my crunchy shell.

Leave a Comment » | Information Security, Informational, Risk | Tagged: | Permalink
Posted by Chris Hayes

Impromtu IT Risk Assessment Poll

May 25, 2010

You can select up to two answers. Thank you for participating!

1 Comment | Uncategorized | Permalink
Posted by Chris Hayes

Impromtu PCI-DSS Poll

May 14, 2010

Leave a Comment » | PCI-DSS | Permalink
Posted by Chris Hayes

More Heat Map Love

May 11, 2010

In my previous post “Heat Map Love” I attempted to illustrate the relationship between plots on a heat map and a loss distribution. In this post I am going to illustrate another method to show the relationship – hopefully in simpler terms.

In the heat map above I have plotted five example risk issues:

I: Application security; cross-site scripting; external facing application(s); actual loss events between 2-10 times a year; low magnitude per event – less then $10,000.

II: Data confidentiality; lost / stolen mobile device or computer; no hard disk encryption; simulated or actual one loss event per year, low to moderate magnitude per event.

III:  PCI-DSS Compliance; level 2 Visa merchant; not compliant with numerous PCI-DSS standards; merchant self-reports not being in compliance this year; merchant expects monthly fines of $5,000 for a one year total of $60,000.

IV: Malware outbreak; large malware outbreak (greater then 10% of your protected endpoints). Less then once every ten years; magnitude per event could range between $100,000 and $1,000,000; productivity hit, external consulting, etc.

V: Availability; loss of data center; very low frequency; very large magnitude per event.

Since there is a frequency and magnitude of loss associated with each of these issues we can conceptually associate these issues with a loss distribution (assuming that our loss distribution is a normal-like or log normal).

Step 1: Hold a piece of paper with the heat map looking like the image below:

Step 2: Flip the paper towards you so the heat map looks like image below (flip vertical):


Step 3: Rotate the paper counter-clockwise 90 degrees; it should like the image below.


For ease of illustration; let’s overlay a log normal distribution.

What we see is in line with what we discussed in the “Heat Map Love” post:

Risk V – Loss of data center; is driving the tail; very low frequency; very large magnitude.
Risk IV – Malware outbreak; low frequency; but significant or high magnitude.
Risk III – Annual PCI fines from Visa via acquirer / processor; once per year; $60K.
Risk II – Lost or stolen laptop that had confidential information on it; response and notification costs not expected to be significant.
Risk I – Lots of small application security issues; for example cross site scripting; numerous detected and reported instances per year; low cost per event.

There you have it – a less technical way to perform a sniff test on your heat map plots and / or validate against a loss distribution.

Once you have taught everyone how to perform this artwork paper rotation trick. You can have a paper airplane flying contest.

Leave a Comment » | Risk | Tagged: , , | Permalink
Posted by Chris Hayes

« Previous Entries
Next Entries »
Follow

Get every new post delivered to your Inbox.