Working With External Data (Part 1 of X)

November 21, 2009

In early October I began reviewing three external data repositories containing “loss event” data. I think it is important to state that what you are about to read is the result of me being guided by a real risk modeler at the company I work for. Modelers are very methodical, consistent, and have high expectations of quality – sort of like engineers. I understand information security, he understands modeling. I get to do the mundane work – he gets to build the mathematical relationships and distributions. No matter what though – I have to be able to explain everything in the model as well as maintain it moving forward. Thus, in this series, I want to share some observations and lessons I learned from the “gathering external” data exercise.

Really understand what you are looking to get from the data. It is too easy to jump into these data sets, perform some simple statistical calculations and then communicate outrageous findings to an audience. For me and my employer’s purpose we wanted to use “some” of this external data for use in a loss model. Specifically, to help establish a distribution of possible number of records that could be lost and potential loss magnitude per event in various types of security incidents. (Notice I said possible, not probable). The reality is that most companies do not have dozens let alone hundreds of loss events to develop loss models without needing to use external data. So, one of the benefits of using external data in a loss model is that it can really help understand worst-case loss magnitude also know as “tail risk”. Internal data may more influence the mean value of a loss model. For two of the data sources – dataloss.org and privacyrights.org – the number of records lost was the key data point. For the third and non-public data consortium source, the cost of security related events (not necessarily data loss events) was the most useful. Below are some considerations for narrowing down the number of data points in data set from all to “some”.

a.    Time. Technology and the regulatory landscape changes quickly. Thus, it is preferable to time limit data points to a period where a minimum level of technology was assumed as well as a consistent expectation of regulatory / industry standard requirements. For our purposes, we only chose data points dating back to 2005. Again, this time range will vary from model to model, person to person, company to company and industry to industry.

Note 1: One record in the dataloss.org set goes back to 1903. Seriously.

Note 2: In the dataloss.org data set dated 9/30/2010. There were 2013 data points. Using only records from 2005 to 9/30/2009; reduced the set down to 1945.

b.    Good Fit. Not all data points are a good fit to be included in your analysis. Security control expectations vary from industry to industry. Thus you need to have a way of methodically reviewing data points to determine which are a good fit. Below are just a few considerations:

i.    Industry. Most data sets are not industry specific – so they contain data points spanning all kinds of industries. The transportation industry has a different value proposition then the financial services industry. So, depending on your model – points outside your industry may not be relevant.

ii.    Service or Value Proposition. Somewhat related to industry but some services and value propositions are shared between industries. I think of health care insurance and property and casualty insurance. Both industries have to protect confidential information. This does not mean that if I am in the financial services industry that I would include ALL healthcare industry data points – it just means that I am acknowledging there is a shared value proposition and that some data points – depending on the loss form – can be used for my purposes.

iii.    Loss Form Categories. When I talk about loss form categories, I am referring mostly to BASEL II Operational Risk Categories (Level 1); “Internal fraud”, “External fraud”, “Employment Practices and Workplace Safety”, “Clients, Products & Business Practices”, “Damage to Physical Assets”, “Business Disruption and System failures” and “Execution, Delivery & Process Management”. Most data loss events will only map to a few of these categories and in some instances these categories may not even be applicable to your needs, your company or your industry – but classifying each data point to one of these categories or another category framework more relevant for your company / industry can allow you to refine your data set in a methodical and unbiased manner.

Note 3: After applying my good fit criteria, the total number of dataloss.org data points I am using for my model has been reduced from 1945 (note 2 above) down to 84.

Note 4: Of those 84 data points: 9 data points were categorized as “Internal Fraud”, 37 were categorized as “External Fraud” and 38 were categorized as “Execution, Delivery, and Process Management”.

c.    Duplicate Records. When you are using multiple data sets, you have to assume there is duplication of data points between data sets. This was definitely the case for the dataloss.org and privacyrights.org data sets. To compound matters, just expect that for a certain percentage of duplicate data points – the details might differ. This is not a super big deal – just understand that you will have duplicate data points and will have to choose one of the data points.

Note 5: Ok, there could be some duplicates where the variance in details is so wide and there is neither time to determine which one is more correct or there is not a valid source to determine which one is more accurate; you could throw them both out.

d.    Consistency. You have to be consistent in your approach to reviewing data points. Distributing the work between numerous people could be problematic if they are not all properly aligned on the goals of what you are doing and properly calibrated on determining if a data point meets the criteria for inclusion.

In the next post, I will focus more on “right-sizing” data points. In other words, adjusting data points to be commensurate with your particular company.

Note 6: Please do not take any of my remarks about dataloss.org or privacyrights.org having errors to be an attack against the fine folks that are maintaining those data sets. My intent for raising these points is related to taking personal responsibility for knowing the data points you are using to derive information from. It is too easy for our business partners and even others in the security industry to raise the “garbage in garbage out” argument when trying to understand risk or loss models.

2 Comments | Uncategorized | Permalink
Posted by Chris Hayes

Risk / Threat vs. Risk Issue

October 26, 2009

risk_risk_issue_091026

***
Up front props:
1.    In the “risk universe” square, I used the “evolving change categorizations” from a Joshua Corman blog post found here.
2.    I heard the term “risk ecosystem” from Microsoft’s Mark Curphey in a video related to a risk repository web app they recently released called “Risk Tracker” (either here or here). I found the term to be valuable in the context of this blog post.
3.    The approach to the image above was not solely mine, I just embellished and sanitized on someone’s idea here at my employer.
***
Some terminology declarations:

I am using the word risk in a variety of capacities in this post.

In some cases, it is being used in the context of a threat (storm heading in my direction).

In other cases is being used in the context of a derived value; the probable magnitude and frequency of loss; $.

I am using the term “risk issue” or “risk finding” to mean a documented risk that requires a decision from management to either assume or mitigate.

Finally, in the database symbol titled “Risk Rep.” – that is short for “risk repository”.
***

I have recently been in a few conversations related to when a “risk” (or threat) becomes a “risk issue”. Most of these conversations have been with information security risk management executives; which implies “philosophying”, evangelizing, white boarding, and of course – excessive use of non-risk management analogies to reflect risk management concepts. In the end, these conversations turned out to be valuable because if forced the group to really understand when a risk (threat) becomes a risk issue in our environment. In other words, what are the various lenses we analyze threats or risk through to determine that we need to document a risk finding?

I will let you noodle the image and underlying concept on your own. However, below are a few parting points I would like to make.

1.    There is a difference between grandstanding on risks (threats) that pose no threat to your company versus managing risk issues within your own risk ecosystem. Think “solar storm heading directly to Mars” versus “a storm cell that is 10 miles away with 65 mile per hour winds headed directly towards us”.

2.    If a risk (threat) is important enough to grandstand on AND to begin mitigating – then it is no longer a risk, but a risk issue – and should be managed as such.

3.    Emerging risks – or threats – somewhat fall in between the two above. You may want to let management know about some potential exposure – but there is nothing that needs to be addressed today.

Feel free to share any thoughts you have!

5 Comments | Uncategorized | Permalink
Posted by Chris Hayes

Catching My Breath

October 22, 2009

Happy Birthday Mom!

My previous post was in early August (2009); a two post series on reputation risk. Since then, my professional and personal life has been pretty busy. Here is a quick update that will hopefully set some context for some upcoming (and hopefully more meaningful) posts between now and the end of the year.

No More PCI. OK, not 100% true – but let me explain. From about June 2008 until September 2009 – I helped lead a large information technology program (enterprise level program; containing numerous projects) to enhance some payment transaction applications as well as better manage compliance with the PCI DSS standard. Helping lead this program was truly one of the highlights of my information security / risk management career. It is not often in a big company that you get to be dedicated to a program for so long – as well as get to dive so deep to ensure that the solution being developed is not only compliant –but also secure. I transitioned away from the PCI program in early September to help lead some information risk management capability projects. I am still doing some ad-hoc / historical knowledge PCI consulting here and there – but for the most, I am not focused on PCI – and I am enjoying it.

So what am I doing now?

There are three efforts I am primarily working on.

Risk Quantification Methodology. Around April / May of 2008, I wrote a small proposal to our security leadership about transitioning from qualitative risk assessments to quantitative risk assessments. In late Q3 of 2008 – I was given the green light to lead a proof of concept of what I proposed earlier in 2008 – in my “spare time” when not dealing with PCI stuff. The proof of concept extended into early 2009. In late Q1 2009, I presented the POC findings to security leadership and shortly thereafter, a decision was made to transition to quantitative risk assessments. Since I was still primarily working on the PCI-related program – the risk quantification strategy was put on hold. Fast forward to September and now I have time to implement the risk quantification methodology and all the goodness that come with it (training, process changes, reporting, awareness, oversight, etc…). The goal is to have the methodology implemented in 2009 and focus on the related deliverables of reporting and oversight in 2010.

Risk Optimization Decision Model. This is really exciting and also dates back to Q4 of 2008. Very high level – I am working with a wicked smart data modeler to help build what I will refer to as a risk optimization model. The main purpose of the model is to aid decision making for information security (risk-related) funding decisions. An example of its use could be: A company has a lot of risk associated with “external fraud” and “internal fraud”; for example access control / authorization. The company has a loss model serving as a baseline. The company wants to invest $x dollars in a mitigation control that it expects to reduce loss frequency for “internal fraud” by 2% and “external fraud” by 10%. Based off the expected loss frequency reduction – what is the difference between the baseline loss model and the new loss model? Is there a risk reduction? If so, is the cost of the mitigation control a sound investment based of the risk reduction? I think there will be some interesting posts coming up related to this effort.

Risk Alignment. Around April of 2009, I was asked to represent the information risk management group (job family at my employer) in a working group with other risk assessment groups in our enterprise (Internal Audits, Financial Reporting Controls, SEC / FINRA, Privacy and Legal). I consider it a huge privilege and an even bigger growth opportunity. We have all heard of integrated operational risk management – and this working group is the epitome of that. Since my involvement with this working group, I have learned so much more about the company I work for as well as how other risk assessment programs assess and manage risk. The goal is alignment across risk assessment programs. Does that mean that every program assesses and manages exactly the same way – of course not. But there are opportunities to align on vernacular, risk concepts, risk categories, and in some cases risk repositories. I anticipate publishing a few blog posts that have been heavily influenced by my involvement with this alignment working group.

Finally, below are some books I have read since I took my vacation in late July. These books have nothing to do with IT or Information Security Risk Management whatsoever.

Crossfire by Andy McNab – Body guarding a TV crew on the streets of war-torn Basra, ex-deniable operator Nick Stone’s life is saved by a reporter’s swift action as a roadside bomb explodes. When the man later vanishes, Stone is asked to find him. The trail leads from Iraq to Bermuda, London and Kabul, the dark and brutal city where governments, terrorism and big business inexorably collide. Caught in the crossfire, his nightmare is only just beginning, for the hunter has suddenly become the hunted. . .

Brute Force by Andy McNab – Days after his car erupts in a ball of flame, Nick Stone narrowly cheats death a second time when a gunman opens fire on him from the back of a motorcycle. Who knows his movements? Who wants him dead, and why? Stone’s only chance of survival is to carry the fight to his attackers – but first he must uncover a trail of clues that leads from his own dark and complex past into the heart of a chilling conspiracy that threatens us all…Nick Stone’s eleventh adventure is McNab at his explosive best.

The Last Templar by Raymond Khoury – The war between the Catholic Church and the Gnostic insurgency drags on in this ponderous Da Vinci Code knockoff. The latest skirmish erupts when horsemen dressed as knights raid New York’s Metropolitan Museum of Art, lopping off heads and firing Uzis as they go. Their trail leads FBI agent Sean Ryan and fetching archeologist Tess Chaykin to the medieval crusading order of the Knights Templars. Anachronistic Gnostic champions of feminism and tolerance against Roman hierarchy and obscurantism, the Templars, they learn, discovered proof that Catholic dogma is a “hoax” and were planning to use it to unite all religions under a rationalist creed that would usher in world peace.

Moscow Rules by Daniel Silva – The death of a journalist leads Israeli spy Gabriel Allon to Russia, where he finds that, in terms of spycraft, even he has something to learn if he wants to prevent a former KGB colonel from delivering Russia’s most sophisticated weapons to al-Qaeda.

The Defector by Daniel Silva – Six months after the dramatic conclusion of Moscow Rules, Gabriel has returned to the tan hills of Umbria to resume his honeymoon with his new wife, Chiara, and restore a seventeenth-century altarpiece for the Vatican. But his idyllic world is once again thrown into turmoil with shocking news from London. The defector and former Russian intelligence officer Grigori Bulganov, who saved Gabriel’s life in Moscow, has vanished without a trace. British intelligence is sure he was a double agent all along, but Gabriel knows better. He also knows he made a promise. “If an injury has to be done to a man it should be so severe that his vengeance need not be feared.”

Leave a Comment » | Uncategorized | Permalink
Posted by Chris Hayes

Reputation Risk: Some Additional Thoughts

August 8, 2009

Thinking_Person

This is a follow-up post to the two part Richard Levick “reputation risk” series. The related posts are here: part 1, part 2, and some additional thoughts from Richard.

Below are my thoughts regarding some information and advice that Richard shared with us.

3.    What are the key components of a reputation?
Levick: … So the first rule is “Understand your reputation.”… If you don’t understand it, you can’t protect it.

This sounds like an absolute no-brainer statement but I cannot underscore how important this is for information security practitioners, especially those performing risk assessments. I have stated it elsewhere on my blog; we are in a unique position to truly gap the IT and business divide. Providing relevant business context to our leaders for the issues we want them to care about and respond to – is value for them and the company as a whole. In addition, this is more then just knowing buzzwords and when to drop them. We need to present ourselves as an authoritative reputation stakeholder when we talk about reputation risk to our managers and business leaders.

4.    How can reputation be impacted when there are IT security incidents?
Levick: … The issue is how the company behaves once a data breach is discovered….

So much can be written about this part of Richard’s answer; but let’s talk about this in the context of security controls. Generally speaking, there are three categories of security controls: preventive, detective, and response. So when it comes to reputation risk, I immediately try to consider what response controls my company has at its disposal to respond to a security incident that has the potential to be known outside our company.

There are two response controls that immediately come to mind (they could be called various things):

Communications Plan: Does your company have a communications plan? Does the communication plan take into account data loss or network breach scenarios? The questions are numerous….

Event Management Plan: Does your company or information security organization have an event management plan? How thorough is it? Does it tie into your communication plan? Do the right players in your company have a role in the event management plan? Again, a lot of things to consider.

Bottom line: The effectiveness of the response controls listed above can significantly factor into the magnitude of reputation risk. Now, when you factor in how and what is being communicated – that may be beyond your control – but I would challenge you to see these plans for yourself so when you estimate or articulate reputation risk – you are doing so with conviction and some level of confidence.

Finally, not everyone reading this may work for a large company that has a robust event management plan or a communication plan; let alone any plans at all. My advice, initiate the conversation and see it where it takes you or your management!

***

Something I heard while serving in the U.S. Marine Corps that has proved so valuable over the years is this: It is better to be tried by twelve then carried by six. Meaning, when faced with an opportunity to make a decision, escalate a situation, share information, or ask questions – it is better to do so NOW – and face ridicule / judgment – then do nothing at all. Take it for what it is worth…

***

5.    Can reputation be measured or quantified in units of dollars?

I agree that precisely measuring reputation in terms of dollars is challenging at best – but you can still perform some level of measurement. Generally speaking, reputation risk comes into play as a secondary loss form. Meaning, that certain incident information is known outside the company by someone that can be considered a stakeholder of our company (consumer, customer, government, etc…). A security incident could result in loss of customers, decreased sales, fines and judgments, class action law suits, negative publicity, etc…; most of which can be tied back to dollar values – and associated with reputation risk. Even if you disagree with this approach, if you are dealing with risk issues where reputation risk is a legitimate loss form, you can articulate that reputation risk is a contributing factor to the overall loss magnitude. Finally, I would caution using reputation risk as the FUD stick that Jack Jones mentions in a comment in post 2; but make sure your audience understands that you think reputation is an important part of the overall exposure; document it as well.

I hope you enjoyed the series. Have a splendid day!

Leave a Comment » | Risk | Permalink
Posted by Chris Hayes

Reputation Risk Q&A – Richard Levick (2 of 2)

August 6, 2009

reputation-balloon

This is part two of a reputation risk Q&A with Mr. Richard Levick; President and CEO of Levick Strategic Communications in Washington, DC.

Part one can be found here.

6. In your opinion, how do you distinguish between worst-case reputation loss versus expected reputation loss?

Richard Levick: One word – experience. That’s how you anticipate what’s coming next and prevent the worst-case scenario from coming to fruition. It’s all about staying one step ahead.

Today, the period of time between the gating event that alerts you to a brand crisis and the bet-the-company moment is increasingly indistinguishable. When video of two Domino’s employees defiling customers’ food was posted to YouTube earlier this year, one million people – a number greater than those who subscribe to The New York Times or The Wall Street Journal – had viewed it within the first 48 hours. What that tells us is that crises now move faster than ever before and that companies have to be ready to act at moment’s notice. That means preventing and responding to reputational risks and crisis needs to be in the DNA. You don’t get that by accident. Or maybe you do, but at a terribly high price.

To do it right and prepare ahead of time means knowing what regulators, Congress, or state attorneys generals are going to do next. It means anticipating the next moves of the plaintiffs’ bar. It means monitoring the blogosphere and other social and digital media for intelligence as to where the traditional media may soon be heading. It means identifying likely company risks now and extrapolating what this means in terms of Search Engine Optimization, High Authority Bloggers, and social media. If you are reading this last sentence and don’t understand what I mean, your company is at far greater risk than you think.

To get started, build a relationship with crisis managers now – before you need them – so that you can build the trust that fast action demands. In crisis, you’ve got to see how the dominos – no pun intended – are lined up and know how they’re going to fall. It’s the only way to keep up with a news cycle that is now measured in minutes, not hours.

7. What are the key controls an information security risk analyst should take into consideration when assessing reputation loss impact (or magnitude)?

Richard Levick: With virtually every traditional journalists now regularly reading blogs for story ideas, careful monitoring of the blogosphere provides invaluable intelligence as to the scope of the reputational damage that may result from IT security breach.

That means knowing the high-authority bloggers – those with the greatest influence over perceptions – that cover your industry. And it also means being ready to engage them should a data breach occur. By bringing bloggers into the fold, companies allow themselves an opportunity to shape the narrative before it influences the traditional commentary to follow – and thus limit the reputational damage potential at play.

8. Do you have any tips for effectively communicating reputation risk to middle management and executive leadership?

Richard Levick: In today’s media environment, the C-Suite has to know that everything it does – or chooses not to do – can potentially impact the corporate brand. That means always thinking like your consumers, investors, regulators, and stakeholders that run the gamut – and taking their perceptions into consideration whenever a decision that could potentially impact these audiences is made.

I think middle managers need to own issues like understanding who the High Authority Bloggers are and having personal relationships; anticipating risks and knowing who controls those terms on the search engines; tracking YouTube, Twitter, and other sites for signs of consumer or stockholder dissatisfaction or industry unrest; and recommending instant positive intervention. Middle managers need to think differently. Today is a good day to start.

9. Do you have a favorite reputation risk engagement that you are willing to share (regardless of outcome)?

Richard Levick: I often look back to what Hasbro did during the 2007 lead-paint scare because it demonstrates how a crisis can be transformed into opportunity if a company articulates leadership in solving the problems at hand.

While Hasbro did not initiate a single recall during the lead paint crisis, the company recognized that its entire industry was under siege. Inaction could have led to guilt by association in the Court of Public Opinion. More important, remaining on the sidelines could have allowed a significant opportunity to differentiate itself from the competition to slip by.

So, rather than sit back and let the competition take the heat, Hasbro stepped up by implementing a “Total Safety Program” and making the initiative a central element of its traditional and online marketing strategies. As a result, the company became the “gold standard” around which all of its competitors were forced to rally. Though it wasn’t directly impacted by the crisis, Hasbro took action to abate it. As a result, its October 2007 earnings jumped 64 percent from the previous year.

10. Are there any good sources of information you can recommend for learning more about this subject?

Richard Levick: I would point to four such resources maintained by my firm…

Levick Strategic Communications’ Bulletproof Blog™ (www.bulletproofblog.com)…

Our e-newsletter, High Stakes™ (http://www.levick.com/resources/highstakes/)…

Our Crisis Communications Desk Reference (http://www.levick.com/crisis_communications_desktop_reference/)…

And our book, Stop The Presses (http://www.levick.com/resources/books/stop_the_presses/).

Also, I would encourage your readers to keep an eye out for our next book, on leadership during crisis in the digital age, which will be coming out in early 2010.

***

I intend on posting some of my thoughts on Richard’s answers in an upcoming post. I hope you found Mr. Levick’s perspective to be as useful and intriguing as I do. Regardless, thank you Richard for participating in this effort; I look forward to continued interactions.

5 Comments | Risk | Tagged: , , | Permalink
Posted by Chris Hayes

Reputation Risk Q&A – Richard Levick (1 of 2)

August 5, 2009

reputation-management-as-a-balloon

This past April I had an opportunity to cross paths with a public relations business called Levick Strategic Communications (Levick) and its company leaders. A couple of things stood out to me about Levick that led up to this blog post.

1.    Reputation Risk. While I do not consider myself a public relations industry expert – I have had enough exposure to the industry to understand that Levick’s  subject matter expertise on brand and reputation risk is a significant differentiator of skill expertise compared to larger public relations shops and most of the professional consulting firms. In addition, given their location within Washington DC – you can have a high level of confidence in assuming that Levick is dealing with companies and news events that we hear, see or read about on a daily basis.

2.    Informative Blog. I really like Levick’s blog called “BulletProof”. The blog posts are informative, short, and relevant. Granted, they may not be information security or infosec risk management related – but most of the posts can be associated with the loss form we characterize as “reputation risk”.

It is truly my professional and personal pleasure to introduce to the readers of this blog, Mr. Richard Levick, the CEO of Levick Strategic Communications. Mr. Levick has agreed to answer some questions I prepared about reputation risk. The intent of this blog post is to bring some clarity to what reputation risk is and for Mr. Levick to offer some practical feedback that we as information security professionals can consume and apply in our daily activities.

Thank you Mr. Levick for agreeing to participate in this question and answer blog post.

Note: Mr. Levick’s answers to my questions were provided on July 14th, 2009. Ten questions were posed to Mr. Levick. The questions and answers will be split between this blog post and an additional post in the coming days.

1. What led you to participate in this blog post?

Richard Levick: Simply put, blogs are news. People are looking in the windshield for the day that digital media overtake traditional media when they should be looking in the rear-view mirror. Just a few weeks back, Zogby released a poll that shows the Internet has overtaken television, newspapers, and radio not only in terms of relevance; but reliability. Let me reiterate how critical that is: The Internet is where we go for truth. In a world where digital news sources are more widely read and more widely trusted, you’ve got to treat blogs with the same respect you would show The Washington Post, The New York Times, or The Wall Street Journal. Today, digital media is media.

2. What is reputation risk?

Richard Levick: Reputation risk is one of two things. It is either the ways in which internal or external forces are negatively impacting your brand right now or how they will. What are today’s risks? What are our likely future risks?

Today, companies are operating in a reputational perfect storm. First, the new President and Congress are clearly intent on regulating where they feel the past Administration and Congress have been lax. Sarbanes-Oxley represents the first half of the equation – transparency. Today, we are living through the more painful second half of the equation – accountability. Second, the explosion of digital media has created a world in which there are virtually no secrets. Speed has been redefined to moments, not news cycles. Third, the plaintiff’s bar, mommy bloggers (articulate and empowered consumers), and even regulators are a full Internet generation ahead of companies facing crisis.

Bottom line: companies must immediately stop and rethink they way they think about their brand, their reputation, risk, and crisis. The cheese has moved. What got you here won’t get you through tomorrow.

3. What are the key components of a reputation?

Richard Levick: That’s a great question – because it’s where most board members, CEOs, and corporate communications professionals most often make mistakes in crisis. Too often companies think that the key component of reputation is how they view their brand when it is actually how the brand is perceived by the company’s target audiences. You’ve got to take a Buddhist approach to reputation management; seek first to understand, and then be understood.

Too often, companies in crisis do the reverse; seeking to explain rather than focusing on what audiences want to hear – what you’re doing to solve the problems at hand, and what you’re doing to ensure that similar problems never arise again.

Let’s take the recent Washington Post crisis where they attempted to sell access. It is something other magazines in the Nation’s Capital can do because they are not the Washington Post. The Post’s reputation, their brand, is as the “investigative newspaper.” They birthed the modern age of investigative journalism with their brilliant coverage of Watergate. They can’t now be offering access to the highest bidder, no matter what the pressures of the Internet Age are. It violates their brand. So the first rule is “Understand your reputation.” It sounds so simple, but its not. GM forgot. Yahoo forgot. If you don’t understand it, you can’t protect it.

And then there is Wall Street. Too many very smart, very talented Wall Street executives and corporate communications professionals still think the problem is about communicating to their fraternity. But risk and crisis change your audience. You have to think differently about what you say, to whom, and how. We have seen time and time again that Wall Street, Detroit, and many marvelous brands are still thinking in terms of the traditional media paradigm and not the digital media paradigm. Talk about fighting the last war. So the second rule of protecting your reputation is to look forward, not backward.

4. How can reputation be impacted when there are IT security incidents?

Richard Levick: Data loss and theft is the issue du jour in the 21st Century marketplace, pitting privacy and commerce interests tet-a-tet. We all want the ease of commerce that the Internet provides, but are we willing to open up to the transparency it requires?

As a company that has handled many of the data loss cases, including, to date, the largest data loss in world history, we’ve seen time and again how reputations can be adversely impacted when the response isn’t adequate, or how they can be advanced when companies run to the light.

Companies must remember that they key issue isn’t that you’ve lost the data – stakeholders understand that they’ve traded an expectation of total privacy for the conveniences of the Digital Age. The issue is how the company behaves once a data breach is discovered. Did it demonstrate transparency by acting fast to notify the authorities and inform affected consumers of their precise exposures? Did it demonstrate accountability by addressing the problems that allowed a data loss to occur? If it hasn’t already, will it be implementing best security practices that limit the chances a data loss will ever occur again?

These are the issues at the heart of reputation management during an IT security incident because if they are handled well, they show concern for, commitment to, and action on behalf of those whose privacy may have been compromised. If they are handled poorly, brand credibility and trust suffer – and that’s a recipe for disaster in an e-commerce environment where trust trumps everything else.

5. Can reputation be measured or quantified in units of dollars?

Richard Levick: I think that is pretty tough to do. People can try, and I suspect a fluctuation in stock price can be one measure, as can value – but I think the true answer is ultimately no, and therein lies the problem. Inside and outside counsel can articulate likely exposures and potential associated costs. Investor Relations professionals can certainly identify market risks. Compliance officers can estimate the costs of non-compliance. And the list goes on. But can anyone really articulate the potential cost of loss of reputation? I think the end result is too often in a crisis very smart counselors save the arm but lose the patient.

Relatively speaking, it’s easy to quantify the legal exposure, losses in market share or stock price, or even declines in employee morale that can result from a particular corrective action during crisis. So when a CEO finds him or herself at the moment of truth, analysis paralysis usually sets in because there’s no concrete way to quantify the ways in which a particular corrective action – taken to strengthen brand reputation when it matters most – will positively impact the bottom line.

That’s why it’s so vitally important for the board to mandate courage in crisis situations. When the CEO is inundated with countless reasons not to act, he or she must have the freedom to look at all the risks at play and then decide which risks are acceptable in order to protect and preserve the brand.

I always look back to the marquee case study in crisis communications – the Tylenol tampering crisis of the early 1980s. Johnson & Johnson held two news conferences a day to keep its audience informed, without regard for the fact that each statement could potentially increase the pool of concerned stakeholders or legal liability. They took a calculated risk. They exercised courage and leadership by pulling all of their over the counter pain medications, not just Tylenol, without ever being asked to by any regulator or concern for stock price. As a result, Johnson & Johnson has enjoyed 30 years of being recognized as one of the top companies in the world and Tylenol is still the top pain-reliever on the market. What CEO wouldn’t trade that for one tough quarter?

Crises demand action. Companies shouldn’t shy away from that fact simply because reputational strength isn’t something that shows up on a balance sheet.

TO BE CONTINUED…

4 Comments | Uncategorized | Permalink
Posted by Chris Hayes

QSA Vendor Selection – Points of Consideration

May 28, 2009

Earlier this year I lead a QSA selection activity for a large PCI-related program I am the security lead for. Thanks to an email conversation this morning – with a friend who is crafting a QSA-related RFP – I want to share some points of consideration that I shared with her.

1.    Carefully craft your RFP. Know what you want to get out of the engagement. Thus, when you read the responses – you may be able to quickly separate QSAs that did not take the time to tailor their response (and thus did not understand the engagement as a whole) from those that actually read it, understand your needs and want the business. In my case, before we allowed vendors to respond – we had a huge conference call. I allowed all the vendors to ask a few questions. In interesting observation from this call was that after the first four (of 12) vendors asked questions – there were no more questions. I guess they tend to ask the same questions. In addition, I think the conference call scared off some vendors from actually responding. They realized that we understood PCI-DSS and they were not going to be able to sell a shoddy engagement.

2.    Specify your minimum experience expectations for vendor personnel that will be doing the actual work. The PCI SSC outlines minimum requirements. I tend to have higher expectations and have no problem forcing my expectations on vendors. I want a QSA assessor that has between 5-7 years of “information security” – not auditing – experience. In addition, I want someone that has a certification from the Society of Payment Security Professionals. Finally, I want a QSA assessor that has been doing PCI-related assessments / consulting for at least two years. Some QSAs will balk at these experience expectations – but again, it is my engagement and my choice and I will validate that they are meeting my experience expectations.

3.    Request Resumes. Dictate that the QSA vendor provides resumes from the pool of individuals that could be performing the work. There will always be a chance they do a bait and switch on you – that is a different problem.

4.    Interview the person(s) that the vendor foresees performing the engagement. The sales / account manager may also balk at this – which if they do – that should be a red flag. The serious QSA vendors should have no problem doing this. And guess what – if the vendor pulls a bait and switch on you after the work has been awarded– demand that you interview the replacement before the actual work begins. You need to be comfortable with the QSA assessor.

5.    Validate Estimates. Make sure that the estimates the QSA vendor provides are realistic; this is a shared responsibility between the merchant and the QSA vendor. I cannot underscore this enough. Some vendors will low-ball their estimates for the hours needed to make themselves more appealing from a cost perspective or simply to provide a less then complete assessment. Each environment is unique so assessment times will vary. Regardless have another set of eyes review the estimates to make sure they are fairly realistic. Also, double check the hours needed for documentation. I am a big proponent of having ample documentation time. However, when vendors abuse the use of templates and do not take the time to do real, comprehensive documentation – that makes me really upset. This is probably a separate blog-post topic.

6.    References. Have the QSA vendor provide references. Again, they may balk or drag their feet on this. Also, keep in mind that they will not provide references from unhappy customers. The way around this is to make sure you ask questions to the happy customers that give insight to things like timeliness, quality, business acumen, and skill sets of the QSA assessors themselves. Also, get references from clients of the QSA vendor that are in the same industry and the same merchant level as you (this should already be a requirement for in your RFP; that the QSA vendor has performed QSA-related work in your industry and at your merchant level).

7.    QSA Feedback Forms. Make it known that you fully intent to provide the PCI SSC with a QSA Feedback form after the engagement with the QSA vendor. The form can be found here and can be submitted by the QSA vendor client directly to the PCI SSC. The QSA I chose never gave me a feedback form and I am debating whether or not I want to share my feedback – that I have already shared with the vendor – with the PCI SSC directly.

8.    Be familiar with the QSA Agreements and QSA Requirements. You should expect to get responses from QSA vendors that are probably in violation of these two documents. I certainly did and guess what – those QSA vendors – yes, more then one – were removed from my consideration. You can find these documents here, here and here.

In summary, one way that the PCI SSC and QSA market can get better is by merchants better educating themselves on PCI-DSS and the QSA market. Merchants need to understand that they have resources to make sound QSA selection decisions as well feedback loops to help the PCI SSC perform some QA on the QSA vendors community as a whole.

12 Comments | Informational, PCI-DSS | Permalink
Posted by Chris Hayes

The Risk Is Right.

May 21, 2009

Of particular interest to me right now is the appropriate risk amount to report on for any given issue. Being IT folks –warning broad stroke in progress – we prefer to want “precise” numbers that are not refutable by anyone and are supported by the over-whelming amount of electronic data that we have at our disposal. However, in reality – and in the information security risk management space – we lack such data. As such, there are information security industry super-stars that discourage the idea of taking a stand on quantifying information security risk; and from my perspective – devalue the subject matter expertise (some industry folks water this down to the word “opinion”) that security professionals offer to their organization. I guess I am getting off-topic – so let’s get back to topic: appropriate risk value to report on.

Quite a few risk quantification tools and methodologies tend to produce a risk value often referred to as the “expected loss amount”. Typically, this is the product of a loss event frequency value (LEF for those FAIR-minded folks) and the average monetary loss magnitude. For most information security risk practitioners and the organizations that employ them, the expected loss amount may be the most appropriate risk value to articulate to decision makers for any given risk issue. However, an additional minute or two of analysis of your loss distribution could result in you wanting to articulate a risk amount different then the expected loss amount.

Let’s take a look at some phrases and a few examples.

Loss event frequency: The probable frequency of which we expect a loss to incur.

Average loss magnitude: This is the average (or mean) loss value from a simulation or actual loss events. For example, if I perform 1001 simulations where a value between $1 and $10 dollars is drawn– I would add up the sum of all the simulations and divide it by 1000.

Expected loss magnitude: This is the product of the loss event frequency (most often the mean LEF) and the average loss magnitude. For example, if my loss event frequency is 0.1 per year (once every ten years), and my average loss magnitude is $10,000; my expected loss magnitude would be $1000.

Remember what the median is? The median is the number that is directly in the middle of a range of numbers. For example, if we perform 1001 simulations where a value between $1000 and $20,000 could be drawn and the number in the middle (value number 501, when ordered from lowest to highest) is $10,000 – that is our median.

At this point we have what could be the first comparison in determining which risk value to report. Generally speaking, if the mean and the median are close to each other, then the data set – or loss magnitude values may not be too skewed. If the mean is a lot higher then the median, then this could be the result of large loss magnitude values that are having a significant impact on the mean – somewhat “inflating” the average loss magnitude. The same concept applies is the mean is a lot lower then the median.

In some cases, using the mean loss magnitude to calculate the expected loss magnitude is appropriate. In other cases, the median may be more appropriate because the values influencing the mean are so far out in the distribution – or tail – that it would be inappropriate to use the average loss magnitude.

Now let’s look at another example. We have a risk scenario where the average loss value (per event) is $73,400, and you expect on average, 4 loss events per year. The annual expected loss ($73,400 x 4) is $293,600. However, we are dealing with probabilities and distributions and in reality there could be one year where we only have one loss event related to this specific issue and some years where we might have 10 loss events. How do we deal with this?

I performed a small experiment to help me better understand this.
From a previous risk issue, I derived the mean and standard deviations from the simulated loss event frequency (LEF) values and loss magnitudes (LM) values. In Excel, I wrote a small VBA-macro that allows me to define some simulation parameters and reference both the LEF and LM mean and standard deviation values. For each simulation iteration, the macro generates an LEF value based off a distribution that leverages the LEF mean and standard deviation. Then for each LEF value ( I round to the nearest integer), the macro then generates a loss magnitude value for each loss event and then sums those loss magnitude values. For example, if my LEF is two, then my utility randomly generated two loss values, using a distribution that leverages the LM mean and standard deviation; then sums those two values. The simulation continues until the desired number of iterations is complete. For my small experiment, I performed a simulation consisting of 3001 iterations. You can see the LEF and LM means and standard deviations in the image below.

risk_right_1_090521

Now that we have simulated loss values, we want to visually represent them. I want to represent the values two ways.

risk_right_2_090521

This is a small scatter plot diagram with a smoothed line. In Excel we create loss magnitude bins and count the number of times each iteration’s loss magnitude sum fell into these bins. As you can see the loss magnitude values look normally distributed.

risk_right_3_090521

In this chart, I want to show the percentage of loss magnitude values in relation to the loss amounts themselves. So in this chart, my simulated loss is greater then $14,924; 99.999% of the time. However, there is roughly a 10% chance that the risk could be greater then $404,924.

So what does all of this mean? What it means is that even though our expected loss value was $293,600* – the simulation resulted in the values below:

risk_right_4_090521

The lowest simulated loss magnitude was: $14,924.
The largest simulated loss magnitude was: $620,000.
The mean (average) loss magnitude was: $308,636.
The median of the loss magnitude value was: $309,000.
There is a 20% chance (80th percentile or 1-in-5), that the loss amount could be: $380,000.
There is a 5% chance (95th percentile or 1-in-20), that the loss amount could be: $441,900.

Note: The values above would change from simulation to simulation – but not significantly assuming the input parameters (LEF and LM mean and standard deviation values) remain constant.

Note: It is important to note that the term “tail risk” is usually associated with values at the 97.5th percentile or greater, or less then 2.5% of the time. While the numbers at the 1-in-20 and various tail risk points are tempting to use: please keep in mind that these are low probability / high magnitude loss amounts. Grandstanding on these values just for the shock factor – is the equivalent of crying wolf and undermines the value we can provide to our decision makers.

Now, our decision maker is faced with a harder decision. Do I assume or mitigate the risk associated with an expected loss amount of $308,636 or does this 1-in-5 loss magnitude value of $380,000 stand out to me? While it may seem like we are dealing with a small difference between the mean and the 1-in-5 values – risk tolerance, risk thresholds, and risk management strategies vary between decision makers and organizations.

Here is the take away: as you start going down the risk quantification road keep the following in mind:

1.    There is NO absolute 100% guaranteed predictable loss value – especially from a simulated loss distribution; but you have to report something. Thus choose a tool that lets you see the points from the distribution – not just a single value.

2.    Be mindful of how you articulate risk values. A consistent theme I hear and read about on a regular basis is that risk implies uncertainty – always. You need to underscore this when articulating risk to leadership.

3.    Have the discussion with your management / decision makers as to what loss value they would prefer to see. Their feedback may highly influence the value you report.

4.    Use the right value for the right purpose. For single risk issues, expected loss amounts may be appropriate. For a loss distribution (model) that represents dozens or even hundred of risks – the 1-in-5, 1-in-10, 1-in-20 and maybe some tail risk values may be the best values to react to or budget for.

Have a great Memorial Day weekend!

* In the interest of transparency, the observant reader will notice that my mean LEF is actually 4.17. For simulation purposes, I have rounded generated loss values to the nearest integer. In a given year, you can’t have 4.17 loss events. You would either have 4 or you would have 5. However, if you take the product of 4.17 and $73,400; $306,078 – you will notice that it is within a few thousand dollars of the simulation’s mean and median values.

10 Comments | Information Security, Risk | Tagged: , , , , | Permalink
Posted by Chris Hayes

2009 Verizon Breach Report

April 27, 2009

I read through the 2009 Verizon Breach Report on 4/17 on a plane from Columbus, OH to Washington DC. Below are my thoughts regarding some of the report’s content I found to be note-worthy.

Page 10 – Insider Threat. I really appreciate how they differentiated between insiders acting alone versus insiders being used as unknowing attack vectors. All to often we hear “insider threat” and assume these individuals are all malicious. For information security risk professionals – do not be afraid to ask your leadership or general council teams if this occurs within your organization – especially given the current economic climate. While I am not one to predict, it will be interesting to see the numbers next year for this threat community.

Page 11 – Measuring Central Tendency. Yes, yes, yes (almost an herbal essences moment) – statistics being used properly. As part of a risk quantification effort I am leading, I have also observed numerous instances where skewed data made the median a much more valuable variable to react to then the mean. While on the surface it sounds boring and border-line splitting hairs – the differences between these two can have a tremendous impact on decisions related to them.

Page 12 – External Breach Sources. Let’s talk about preventive controls – IP blocking. I know, easier said then done – but it is still a tool available to us. Not 100% bullet proof – but it is another defense measure that we should not discount.

Page 29 – Target of Choice vs. Target of Opportunity. This concept of determining if you are a “target of choice” versus a “target of opportunity” can factor into “threat event frequency” – how often a threat agent attempts to attack your asset and attempt to overcome its control resistance. In addition, these considerations may also help you determine the threat capability of the attacker. For example, an attacker targeting a “target of choice” may have higher skills and more time, and different motives then an attacker that happens to stumble upon a “target of opportunity”. What type of target you are will probably vary depending on the application, company, and industry. Regardless, this is a great and effective mental exercise to perform.

Page 35 – Time Span of Breach Events. Awesome stuff in this section. From a risk perspective – this type of information can be used to analyze potential impact should a breach occur. However, the report does not correlate time span of compromise to breach size – so one should not assume that the longer a breach goes undetected the bigger the impact. Regardless, there are still reputation implications that should not be discounted. If it takes a large organization weeks or months to discover something – how does that make consumers feel about that organization? In a risk assessment, time span between “compromise to discovery” could be a valuable contributing factor to document; it will obviously vary from scenario to scenario.

Page 38 – Breach Discovery Methods. I labeled this section in my notes “the forgotten detective control”. This section has really challenged my mindset on how I think of third parties as a detective security control. Let’s face it – we don’t want third parties to be a security control – at least not the control we respond to first. We often think of security controls as those things we have direct control over. In some cases, third parties may be a more cost effective control then those security controls in our own environment. I would submit that how an organization responds to third party detection alerts is very important in the consumer’s mind. I am sure there are philosophical debates on this concept. I need to force myself consider this type of security control moving forward.

** NOTE ** A great blog I keep eyes on, regarding how companies react to “situations” is called the BulletProofBlog – by Levick Strategic Communications. Even though this blog is not security related – there are quite a few posts on reputation and the public’s perception when companies are faced with a public relations crisis. Check out their post regarding the recent Domino’s Pizza ordeal.

Overall – I thought the Verizon Business RISK Team did an outstanding job on this report. This was information sharing in the purest sense with no underlying security vendor / security product FUD.

1 Comment | Informational, Risk | Permalink
Posted by Chris Hayes

PCI Treatment

April 2, 2009

pci_hurts_090402

Once again, I am pushing the limits of decency.

Some of my co-workers have been expressing their sarcasm about my deep involvement with an internal PCI program. Why, because some of them have had to take on non PCI-related projects that typically would have fallen in my court.

One of them has been making statements about PCI and how it hurts.

Another got creative and sent me a potential PCI antidote / treatment.

My teammates are awesome!

Leave a Comment » | Informational, PCI-DSS | Permalink
Posted by Chris Hayes

« Previous Entries
Next Entries »