I found this in COSO’s ERM FAQ,

1. What is the difference between risk appetite and risk tolerance?

Both risk appetite and risk tolerance set boundaries of how much risk an entity is prepared to accept. Risk appetite is a higher level statement that considers broadly the levels of risks that management deems acceptable while risk tolerances are more narrow and set the acceptable level of variation around objectives. For instance, a company that says that it is does not accept risks that could result in a significant loss of its revenue base is expressing appetite. When the same company says that it does not wish to accept risks that would cause revenue from its top-10 customers to decline by more than 10% it is expressing tolerance. Operating within risk tolerances provides management greater assurance that the company remains within its risk appetite, which, in turn, provides a higher degree of comfort that the company will achieve its objectives.

They seem to view Risk Appetite as being primarily qualitative and Risk Tolerance as quantitative. Handy to know.

From Yahoo news:

NASHVILLE, Tenn. - An East Tennessee county that has beamed live 24-hour video from its jail on the Internet for nearly six years may nix the practice following complaints of harassment and security concerns.

Some viewers have been using the cameras to harass female jailers by calling them on the telephone and taunting them as they work, according to Anderson County sheriff’s officials.

In other cases, viewers are tracking inmate movements and using the information to coordinate deliveries of contraband to prisoners on work details outside the jail.

“It shows the public what we are doing. I like that idea,” said Anderson County sheriff Paul White.

“But by the same token, now that people are using it for bad things, we have to weigh the odds. The bad things that could happen are not worth the good things that happen out of it. And if you weigh the odds, it looks like we will have to shut it down.”

At least the sheriff understands risk, perhaps better than he even realizes, as well as technology as an unbiased enabler.

Cameras can allow fewer guards to monitor more area. Cameras can help provide oversight and prevent abuse. Cameras can also, however, invade privacy, both in intended (the inmates) and unintended (the guards) ways.

And as an article on the camera-ization of Chicago makes clear, some people are just not qualified to participate in the discussion:

“Hopefully it will make the crime rate drop and that should justify everything,” said Jeff Coates.

As my dad used to say, “It’s all news if you haven’t read it.” In that vein, I highly recommend an older article over at ncircle which I just saw this morning with some metrics-based analysis of productivity costs of Microsoft Patch Tuesday.

In the past year, I’ve noticed a significant amount of resources worldwide dedicated to this day. For example, emails to some security lists take a sudden lull (while other message channels increase in chatter) and amount of Microsoft related news articles go thru the roof.

So for this week’s Patch Tuesday, I documented a few statistics.

I’m not going to steal his analysis (or his charts & graphs), but it’s interesting to see that even his cursory analysis backs up the conventional wisdom regarding productivity costs of Patch Tuesday.

Of course, given that I strongly suspect his analysis is of volume on a certain mailing list which, based on my own years-long subscription, is mostly security geeks arguing about the relative virtues of Tim Horton’s versus Krispy Kreme and the correct formulation of poutine, maybe it’s actually identifying excess productivity in the average security team, and that’s analysis that would only be held against us.

Last night, I went to the first large concert I’ve attended in a couple of years. I saw Barenaked Ladies play at Allstate Arena out in the ‘burbs. At the end of the set, they dropped the houselights and left us in the dark to scream, cheer, and clap for a few minutes before the encores. Once upon a time, the crowd would pull out their lighters, jack up the butane to maximum flame, and hold their flaming lighter up a show of crowd solidarity.

Allstate Arena, like pretty much every arena I know of these days, bans smoking, meaning that a lot fewer people had their lighters handy to hold up in the dark.

Instead, I looked around and saw that the lighters had been replaced with cell phones. A thousand or more glowing screens and keypads floated in the darkness.

I would have taken a picture of it but, ironically, I’d left my phone at home.

Marginal Revolution, Asteroid impacts are always a favorite example of a high-impact, low-likelihood event. Now, thanks to Tyler Cowen at I now know that we have been significantly understating asteroid impact risk:

Scientists in the working group say the evidence for such impacts during the last 10,000 years, known as the Holocene epoch, is strong enough to overturn current estimates of how often the Earth suffers a violent impact on the order of a 10-megaton explosion. Instead of once in 500,000 to one million years, as astronomers now calculate, catastrophic impacts could happen every few thousand years.

I wonder what this has done to the price of catastrophic asteroid impact insurance.

There was an article a few days about about Four Reasons Why Vista is not Worth it. It laid out, as the title suggested, four reasons that Vista wasn’t worth it (slow, bad UI, no one cares about security, and better alternatives). I tend to agree, but the first thing I do to any workstation or laptop I get is turn off the eye candy, I know all-too-well how little people care about security when it requires effort on their part, and I’m also a known Open Source fan.

Today, though, I saw an article in Computerworld about Vista’s DRM “Features” which they sum up as:

In a nutshell, this is the dilemma Microsoft faces as it prepares to launch Windows Vista. By any standard, Vista’s new DRM capabilities — aimed at protecting the rights of content owners by placing limits on how consumers can use digital media — hardly qualify as a selling point; after all, it’s hard to sing the praises of technology designed to make life harder for its users.

Microsoft itself defines DRM in straightforward terms, as “any technology used to protect the interests of owners of content and services.” In theory, it’s an easy concept to grasp; in practice, however, modern DRM technologies include a multitude of hardware-, software- and media-based content-protection schemes, many of which have little or nothing in common.

What’s missing are the rights of users–those pesky folks who actually provide the cash whose flow the “rights owners” are so intent on protecting. And in case there’s any doubt where Microsoft stands on this position, a person need look no further than their own contribution to the DRM stew, the Software Protection Program, the follow-on to Windows Genuine Advantage process:

SPP requires that users validate their version of Vista with a software license key within 30 days of its activation. Users who don’t validate the operating system will be prevented from using certain features, including the new Aero graphical user interface, the ReadyBoost system performance application and, most controversially, the Windows Defender antispyware program.

After 30 days, Vista goes into a reduced functionality mode, similar to Windows Safe Mode — users have access to a Web browser (so they can validate or purchase a copy of Vista), but none of their computers’ other functions.

This can be summed up as, “If Microsoft decides that you are no longer worthy (for whatever reason), then they have the right to break your computer.” It’s like a protection racket, except that your computer will break its own knees if “Balls” Ballmer decides you haven’t paid the juice.

Update: Changed title to more accurately reflect what I think will happen with Vista.

Yesterday was the 31st anniversary of the sinking of the SS Edmund Fitzgerald during an early winter storm on Lake Superior and immortalized in song by Gordon Lightfoot.

So I found it especially interesting that the Fitzgerald may have been felled by a rogue wave, according to the Wikipedia Entry:

The last communication from the boat came at approximately 19:10 (7:10 PM), when Anderson notified Fitzgerald of being hit by two of the speculated “Three sisters”, large enough to be caught on radar, rogue waves or perhaps seiche waves, that were heading Fitzgerald’s way and asked how she was doing. McSorley reported, “We are holding our own.” A few minutes later, she suddenly sank – no distress signal was received. A short ten minutes later Anderson could neither raise Fitzgerald nor detect her on radar. At 20:32, Anderson informed the U.S. Coast Guard of their concern for the boat.

Through much of its career, the Edmund Fitzgerald was the largest ship on the Great Lakes at 26,000 tons displacement and 729 feet long. This would make it just a little bit smaller than the World War II-vintage aircraft carrier Yorktown (CV-10). Having visited that ship as a floating museum in Charleston, South Carolina many times over the years, I can tell you from experience that’s a big ship.

The idea of a wave that could knock something that size under the surface never to pop back up is hard to get our heads around, which is also one of the hardest things about communicating risk. Our minds don’t want to comprehend the likelihood of events that powerful. As we look at (and sometimes even walk around on) a ship the size of an aircraft carrier, the idea that it could be knocked under the water by a wave (or three, in this case) must either be ignored or it would be enough to paralyze some of us into utter helplessness.

That’s not necessarily a bad thing, however. If we tried to manage every little risk in our lives, we would be paralyzed with fear. I think people have developed a natural blind spot for risks which they cannot mitigate. That may be fine when you’re ignoring the risk of freezing to death so you can focus on killing the saber-tooth tiger, but it harms decision-makers in a modern business world, where they are blinded to risk simply because they can’t get their head around it.

It’s election day, and it’s time to get out there and vote.

Even if it may not count.

What’s the world coming to when a guy can’t even enjoy a nice rant about disclosure as a valuable input to managing his own risk without his friends picking on him?

Of course, he must be pulling our legs a bit [ed: ya think?]. I mean, you don’t have to watch too much television to sort of get the point about fallibility of locks…

Btw, this type of “disclosure” increases the collective risk to the world simply by making more potential attackers aware of it. Note that we have had the vulnerability portion of this risk forever (essentially) so the only change is in that knowledge distribution. But there is good news - at least this risk is constrained by physical proximity.

As I noted in my original post,

Is this risk low? Probably. While I couldn’t find data by googling, my instinct is that very few break-ins involve a picked lock. That probably has more to do with the fact that it’s easier for the average attacker (burglar or home invader) to simply smash a window or kick in the door than pick the lock. Picking locks is generally an inefficient branch of the attack tree for getting into a facility (unless non-detection is significant, but detective controls are out-of-scope today).

So the incremental increase in aggregate risk due to full disclosure is quite small in the immediate-term, but has a long-term payoff in reduced risk over time as lock engineering continues to improve.

So, yes, I know that locks are pick-able, even if I don’t watch much TV. With the rise of the Internets, though, that information flows freely. Criminals are quite good at sharing information electronically, and they can find the five million google pages which reference lock picking (and mostly seem to consist of How-To Guides) as easily as I can.

So Mike Rothman asked in his own response to my post,

Now let’s look at physical locks. Is there a lock-pickers newsgroup, or bulletin board? Are there blogs written by lock pickers that share the latest gadgets and techniques. Are folks RSS readers buzzing with how to break a Schlage F-Series? I honestly don’t know. And how many of the lock pickers frequent these information sources and would be able to quickly take advantage of the new information. Again, I don’t know.

Well, the fact of the matter is that there absolutely is a lock-picking sub-culture. There’s also the whole profession of locksmiths, and their trade is partly about knowing which locks are good and which are bad.

So in the end, what irritates me is that the only people who probably don’t know the effectiveness of their locks are the people who falsely assume they are keeping them safe at night. In the IT world, it took the threat of naming and shaming from the full disclosure movement to prod a lot of companies into action, and I strongly suspect that so long as the risk associated with a given make and model of lock is not available to consumers, it will take similar action to prod the lock manufacturers in the physical world into action, as well.

Mike Rothman had two posts today which merit noting. The first points to Ed’s breakdown over at SecurityCurve of the reality of mobile malware risk (hint: It’s a very acceptable risk). Go read it. It’s a great example of a data-driven FUD repudiation and doesn’t really lend itself to exerpting.

The other, though, needs some words. In his notes about an an intersting essay by Jeff Hayes about the difficulties in reporting or disclosing vulnerabilities in physical locks, Mike writes:

the WSJ picked (no pun intended) up an article that pointed out the vulnerabilities of locks from many of the leading manufacturers. They were pissed because they felt it was giving information to the bad guys. Have you seen this movie before? There is a difference in our world, in that it’s much easier to “patch” a technology vulnerability than something physical in my house. Depending on the nature of the issue, it could involve recalls, service calls, or who knows what. Besides the economic infeasibility of replacing all of those locks, fixing the problems are not as straight forward in the physical world. So the lock manufacturers do have a point. Responsible disclosure in our world works because it’s relatively trivial to fix problems. We need to be careful with obscurity in other sectors because you could really impact someone’s personal safety.

Here’s my take: Frankly, I don’t give a rat’s ass about the poor little lock manufacturers who sell me a faulty product and then are whine about the cost of fixing it.

When lock manufacturers cover up or refuse to disclose vulnerabilities in their products, they’re assuming risk on my behalf. If I suffer a loss of life, health, happiness, or property due to their product being faulty, that’s an externality to them unless I successfully sue them in civil court, that will take years and cost me tens of thousands of dollars before I ever see any compensation and even then, the manufacturer has probably transferred their liability risk through insurance.

Is this risk low? Probably. While I couldn’t find data by googling, my instinct is that very few break-ins involve a picked lock. That probably has more to do with the fact that it’s easier for the average attacker (burglar or home invader) to simply smash a window or kick in the door than pick the lock. Picking locks is generally an inefficient branch of the attack tree for getting into a facility (unless non-detection is significant, but detective controls are out-of-scope today).

Unfortunately, as the Kryptonite/Bic Pen class break demonstrated, if a vulnerability is discovered which alters the “cost” of a branch of the tree, the attackers (thieves) will shift very quickly to that now-efficient branch. With the bic pen exploit, what was already low risk became effectively a no-risk attack since the attacker now looks like the rightful owner of the bike unlocking his bike and doesn’t even need specialized tools.

When it comes to the security of myself, my family, and (to a lesser extent) my property, however, I’m extremely risk averse. I want a reasonable level of confidence that it’s going to take more than a bic pen or a bump key to bypass the lock on my front door. When it comes to my safety, I want risk full disclosure. I may decide that I can accept the risk of a lock being picked in ten minutes, but not bump key’ed in ten seconds, but currently I don’t have that option because the data is not readily available.

This is a simple risk management decision, but one that can’t be made without information. When people defend a company on the basis that fixing a problem they created is “too expensive,” I consider that irresponsible. If the company is concerned about the financial risk of inferior products, they should manage that risk themselves, either through some sort of errors & omissions insurance or by mitigating it with improved engineering and quality assurance. What they should not be able to do is silently pass the risk on to me as an externality.

Yes, I know that there are ratings based on some assessment of “time to pick” for a particular lock, but those are, so far as I know, somewhat subjective and not widely available, which makes them less-than-useful.