Welcome to the SecAware blog

I spy with my beady eye ...

21 Jul 2014

Now what?

We're having 'Internet connectivity issues' - par for the course really, out here in rural NZ, but in trying to diagnose the problem, I find this message particularly ironic ...

10 Jul 2014

Pragmatic use for a PRAGMATIC security metric

I have just published a tool developed by Ed Hodgson, Marty Carter and me to help people estimate how long their ISO/IEC 27001 ISMS implementation projects will take.

The tool is an Excel spreadsheet (DOWNLOAD). As with the remainder of the ISO27k Toolkit, it is free to use and is covered by a Creative Commons license. I will roll it into the Toolkit when the Toolkit is next updated.

The estimated project timescale depends on how you score your organization against a set of criteria - things such as the extent to which management supports the ISMS project, and its strategic fit. The scoring process uses a percentage scale with textual descriptions at four points on the scale, similar to those Krag and I described in PRAGMATIC Security Metrics. The criteria are weighted, since some are way more important than others. The scores you enter either increase or decrease the estimated timescale from a default value, using a model coded into the spreadsheets.

Ed enhanced my original model with a more sophisticated method of calculation: Ed’s version substantially extends the timescale if you score low against any criteria, emphasizing the adverse impact of issues such as limited management support and strategic fit. I have left both versions of the model in the file so you can try them both and compare them to see which works best for you … and of course you can play with the models, the criteria and the weightings as well as the scores. I suspect that Ed’s version is more accurate than mine, but maybe both are way off-base. Perhaps we have neglected some factor that you found critical?  Perhaps the weightings or the default timescale are wrong?  If you have successfully completed ISMS implementation projects, please take a look at the criteria and the models, and maybe push your numbers through to see how accurate the estimations would have been.

Feedback comments are very welcome – improvement suggestions especially – preferably on the ISO27k Forum for the benefit of the whole community, otherwise directly to me if you’re shy.

I’m afraid we haven’t yet managed to figure out how to estimate the resourcing (man-days) needed for the implementation project, as we originally planned. A couple of approaches have been suggested (such as breaking down the requirements in ISO/IEC 27001 to identify the activities and competences/skills needed) but it will take more effort to turn the suggestions into a practical tool. If you are inspired to have a go at developing a suitable tool, please make a start and I can set up another collaborative project on Google Docs to continue the development. Further general suggestions are fine but we really need something more concrete to sink our teeth into – a draft or skeleton resourcing estimator would be good. How would you go about it?

Gary Hinson  (Gary@isect.com)  

7 Jul 2014

ASIS report on security metrics

"Persuading Senior Management with Effective, Evaluated Security Metrics" is a lengthy new research report from ASIS Foundation, a membership body for (primarily) physical security professionals.

Quoting from the report's executive summary:
"Security metrics support the value proposition of an organization’s security operation. Without compelling metrics, security professionals and their budgets continue largely on the intuition of company leadership. With metrics, the security function grounds itself on measurable results that correlate with investment, and the security professional can speak to leadership in a familiar business language."
Fair enough.  That's similar to what we wrote in PRAGMATIC Security Metrics, in referring to measurable results and business orientation.
"Security metrics are vital, but in the field and in the literature one finds few tested metrics and little guidance on using metrics effectively to inform and persuade senior management." 
I'm not sure I agree that there are 'few tested security metrics' - it all depends on what we mean by 'tested' and 'security metrics'. I know there are hundreds of information security metrics in use, scores of which I believe are relatively widespread. I also know how easy it is to specify literally thousands of potential information security metrics covering various aspects and facets of our field, especially if one considers variants of any given metric as distinct metrics (e.g. 'the malware threat' could be measured in dozens of different ways, and each of those measures could be expressed or reported in dozens of ways, implying several gross of malware threat metrics).

We described and evaluated about 150 information security metrics examples in PRAGMATIC Security Metrics, and mentioned or hinted at numerous variants that might address some of the shortcomings we found in the examples.
"To address the gap, in spring 2013 the ASIS Foundation sponsored a major research project designed to add to the body of knowledge about security metrics and to empower security professionals to better assess and present metrics. The Foundation awarded a grant to Global Skills X-change (GSX), partnered with Ohlhausen Research, to carry out the project." 
GSX, tagline "Define. Measure. Optimize.", describes itself as "... a professional services firm that specializes in designing workforce education strategies and processes, which allow customers to meet their specific performance goals. The GSX core business model revolves around defining functional competency models and developing valid and reliable assessment tools as the foundation of credentialing and educational programs."

As to Olhausen Research, "A researcher in the security field for more than 25 years, [Peter Ohlhausen, President of Olhausen Research Inc.] has assisted in the multi-year revision of Protection of Assets, served as senior editor of Security Management magazine, and conducted numerous research and consulting projects for the U.S. Department of Justice, U.S. Department of Homeland Security, ASIS, and corporate clients." 
"This report provides the project’s findings, including its three practical, actionable products:
  • The Security Metrics Evaluation Tool (Security MET), which security professionals can self-administer to develop, evaluate, and improve security metrics 
  • A library of metric descriptions, each evaluated according to the Security MET criteria 
  • Guidelines for effective use of security metrics to inform and persuade senior management, with an emphasis on organizational risk and return on investment"
Security MET turns out to be a method for assessing and scoring metrics according to 9 criteria in 3 categories, described in some detail in Appendix A of the ASIS report:
Technical Criteria – Category 1
1. Reliability
2. Validity
3. Generalizability
Operational (Security) Criteria – Category 2
4. Cost 
5. Timeliness
6. Manipulation
Strategic (Corporate) Criteria – Category 3
7. Return on Investment
8. Organizational Relevance
9. Communication
I see interesting parallels to the 9 PRAGMATIC criteria we have described. Security MET requires users to score metrics on a 1-5 scale against each criterion using a 3 point scoring scale rather than the percentage scales with 4 scoring points that we prefer, but is otherwise the same process. It appears that we have converged on a generalized method for assessing or evaluating metrics. However, PRAGMATIC Security Metrics, and indeed other metrics books, are notably lacking from their "comprehensive review of the current state of metric development and application".  Information security is barely even mentioned in the entire report, an unfortunate omission given the convergence of our fields.

The ASIS report goes on to list just 16 [physical] security metrics, described as "authentic examples" that had been identified through the researchers' telephone interviews with respondents:
1. Office Space Usage Metric
2. Security Activity Metric
3. Environmental Risk Metric
4. Averted External Loss Metric
5. Security Audit Metric
6. Officer Performance Metric Panel
7. Security-Safety Metric
8. Security Incidents Metric
9. Personnel Security Clearance Processing Metric
10. Loss Reduction/Security Cost Metric
11. Operations Downtime Reduction Metric
12. Due Diligence Metric
13. Shortage/Shrinkage Metric
14. Phone Theft Metric
15. Security Inspection Findings Metric
16. Infringing Website Compliance Metric
These metrics have each been MET-scored by a handful of people, potentially generating statistics concerning consistency or reliability of the scoring method although the statistics are not actually provided in the report. There is no information reported concerning the method's consistency if the assessments are repeated by the same assessors. The authors do however mention that "The total score may suggest how close the metric is to attaining the highest possible score (45), but it is not likely to be useful for comparing different metrics, as the scoring would be different for users in different organizations.", suggesting that they are unhappy with the method's consistency between different assessors.  

Overall, this report is a worthwhile contribution to the security metrics literature.  Take a look!

6 Jul 2014

Corporate culture: emergent or directed?

Dan Swanson sent me a generous extended summary (from Summary.com) of Mike Myatt's recent book Hacking Leadership that set me thinking this morning about the extent to which the corporate culture can be hacked. Specifically, the [unnamed] author of the summary wrote:
"Great corporate cultures are intentional — they are built by design. Creating a healthy culture is a matter of making a focus point within the corporate values, purpose, vision, mission and strategy."
Skimming quickly past the thorny question of what might make a corporate culture 'great' or 'healthy', I don't fully understand 'making a focus point within the corporate values, purpose, vision, mission and strategy'. I appreciate that values, vision and mission statements, and strategies are commonly used to express management's intent, but what the author means by 'making a focus point within [them']' literally escapes me.

If he/she means that management uses, or should use, the values, purpose, vision, mission and strategy to design the corporate culture, I'm afraid I simply don't accept that. Such written statements may arguably have some purpose in guiding or aligning the way employees behave, but even that is dubious in practice. In my experience, corporate value statements and the like differ from, and in some cases are diametrically opposed to, the actual corporate culture. They are mere puffery, worthy statements of intent that achieve very little in practice, especially if that's all there is: things may be different if they are used as an integral part of a more comprehensive corporate change initiative, in which case the statements themselves, and those dreaded motivational posters, are almost entirely incidental. Far more important, in my opinion, are things such as:
  • The analysis and thinking behind those fine statements. As literally expressed, corporate value statements and the like are usually vague, superficial hand-waving nonsense. Most are generic, stilted and cringeworthy ("Our people are our greatest assets"), often making them unintentially ironic and hence counterproductive ("Yeah, right"). Most are overladen with meaning, having been carefully crafted by committees of managers with differing objectives, leading to them becoming bones of contention and, ultimately, either the least disagreeable compromises or expressing the will of the most powerful contributors (seeding discontent among any dissenters). If, instead, they represent the outcome of a deep, insightful and meaningful discussion, and a true consensus of management's opinion and intent, then they are far more powerful. If they clearly state specific, achievable and measurable goals, then they can gain real traction. However, this is dissappointingly if not vanishingly rare in reality.
  • Actual behaviors - what people (especially managers and other influential employees) do in practice, how myriad decisions are made, what gets supported and put into practice as well as what doesn't - matters far more than any mere expression of intent. Furthermore, behaviors and directives from management that directly and obviously conflict with management's expressed intent are Kryptonite, seeding dissent and seriously undermining the objectives. This is a common problem even in corporations that are succeeding in changing their cultures, since 'the old ways' that are so deeply embedded are bound to surface from time to time. Identifying and responding positively and sympathetically to that reality is, I reckon, a necessary part of cementing the change.
  • Their communication as part of the corporate change program. They need to be expressed in a context and a manner that resonates with and motivates the individuals, who each have unique perspectives and preferences. An effective program also needs to incorporate compliance and enforcement activities, such as encouraging and perhaps rewarding behaviors that comply with and support the expressed values, while discouraging and perhaps penalizing non-compliant behaviors - although whether these should be explicit or implicit is a moot point. Motivation is a complex topic that can't be adequately described in such crude terms.
Exactly the same arguments apply, by the way, to those dreadful statements tacked on the end of most advertisements, afterthoughts at best or manipulative brainwashing at worst. "Value and style", "Number one in shoes", "Your choice" or whatever are bland, crass advertising not branding. The true brand is the complete suite of public impressions and perceptions about the company, its products, its people, its value for money, its quality and so forth. The true brand is driven largely by customer-supplier interactions and experiences over the lifetimes of products (goods and services) purchased, particularly concerning their quality (as in fitnesss for purpose), performance and consistency, plus to a lesser extent comments and statements about the company and/or its products by influential, trusted people, particularly those with no ax to grind (i.e. not paid reviewers, marketers or advertizers, or indeed employees and agents of the company concerned). In that context, advertisements are far less influential on the true brand, although their informational content can be useful.

Having blabbered away on something of a tangent, let me return to the book summary quoted above, the next paragraph in fact:
"Culture is a construct that must be embedded into the very fabric of the corporate identity. It must be part of the ethos that describes why the enterprise exists, what and who it values, and how it will behave. This is why culture must be created from a design perspective — it must be intentional and purposeful. It must be part of the strategy that dictates acceptable behaviors, how decisions will be made, and what will drive operational focus."
As you might guess, I disagree with almost every part of that:
  • 'Culture is a construct' implies that it can be constructed in the same manner as, say, a building: no, it can be influenced and guided to some extent by skilled efforts, but that's not the way buildings are built! It is not a mechanistic or deterministic process.
  • 'Culture ... must be embedded into the very fabric of the corporate identity'? No, the culture is an inherent part of the corporate identity, along with the true brand. It can't be embedded, since it is already within.
  • 'It must be part of the ethos that describes why the enterprise exists ...'?? No again: the corporate culture is an inherent characteristic, or rather a set of characteristics, of the corporation.
  • 'This is why culture must be created from a design perspective' - ummmm, it can't actually be created as such, at least not in the literal sense that I believe the author means although one might argue that expressing the desired state of the culture (through those vision statements and so on) constitutes a blueprint.
  • '[The culture] must be intentional and purposeful'. I suppose the desired culture must be intentionally and purposefully expressed or described in order to have the desired effect, but I'm not convinced the culture per se must necessarily be 'intentional and purposeful'. The culture is whatever the culture is, and will vary in all dimensions e.g. across time, within the corporation, in the details and at the higher levels.
  • 'It must be part of the strategy that dictates acceptable behaviors ...' seems to me to conflate corporate culture with corporate strategy and corporate vision-type statements, whereas these are distinct concepts with different meanings and purposes. On top of that, nothing (not even an edict by a powerful dictator, as history has proven time and again) can absolutely dictate human behaviors. We are sentient, free-willed, self-motivated and self-determined beings, not robotic machines. Even prisoners in solitary confinement under the most draconian regimes find ways to express or demonstrate their resistance.
  • As to 'what will drive operational focus', that is a key purpose of strategy but not culture. Corporate culture is more concerned with everyday behaviors and practices than with lofty strategic goals.
My personal interest in this topic primarily relates to the corporate security culture. I doubt it can be designed and built as such, but I know it can be influenced. However, there is another very important factor not mentioned in the two paragraphs quoted from the book summary: culture changes gradually and incrementally. It takes time. It evolves. Step changes are rare, normally occuring in reaction to dramatic events or incidents that occur as opposed to being artificially created ... although I am intrigued at the possibility of engineering events and incidents in order to achieve a desired outcome. It's surely a risky approach, though, something perhaps to consider another day.

Meanwhile, I have outdoors stuff to do, and thoughts to mull over, so that's enough for now.