As I see it, information gets lost or stolen in one of three fundamental modes:

• accidental: This is the person who leaves a CD of Personal Data in an airplane seat pocket or loses a laptop. They genuinely didn’t mean to lose the information, but in the course of some slip-up or other loss, the information got taken as well. These sorts of losses probably have the highest volume, but also the lowest likelihood of an involved piece of data being exploited.
• selfish: This is the person who probably knows that what they’re doing is wrong or risky, but is more concerned with their immediate benefit than the impact on those affected. This model applies less to Personal Data and more to intellectual property. This is the person who, for example, posts sensitive corporate data on a Web site for their own prestige benefit, ignoring the risk to his or her employer or discloses information to “get back” at some perceived slight their employer or boss committed against them.

  This also includes some, but not all, of the situations where someone fails to utilize available protections because they’re too inconvenient or difficult to apply. In many cases, the safeguards really are too difficult for the average user to comprehend or apply. I would put not using SSL on a Web site where payments are accepted in this category (for the Web site operator) but would put disclosure due to email monitoring in the “accidental” category since PGP really is too difficult for the average user to comprehend.*

  This is also the model by which content often enters the Darknet. Someone rips & uploads information (a song, movie, book, etc.). They may not receive direct monetary benefit, but they either gain prestige (in an up/down ratio sharing group) or a feeling of “sticking it to The Man.”**

  While the likelihood of this information being exploited to harm the owner/described entity is higher than accidental loss, that harm is by no means assured. The discloser may or may not disclose truly sensitive information or it may not be found and interpreted by the necessary parties.

• malicious: Corporate espionage and fraud. This is information that obtained specifically to be used for the direct (monetary?) benefit of the attacker and/or to the detriment of the rightful owner. This is the highest-risk case since the attacker is assuming risk specifically to gain reward–in that regard, the information theft is a criminal commercial venture. Not exploiting the stolen data would be like holding up a liquor store, then forgetting to take the cash from the register–it has happened, but we would be foolish to count on failure to utilize the proceeds of the theft as a safeguard.

While there are commonalities in the controls which can reduce the risk of each type of breach, understanding which scenario you’re worried about can in turn lead to the applicable vulnerability and can change control design considerably.

For example, full hard drive encryption can provide excellent mitigation of accidental loss risk as well as certain malicious loss use cases (e.g. targeting a laptop for its data), but will do next to nothing to stop a disgruntled employee from leaking information which they legitimately have access to during their day-to-day work activities. In the initial discussion, however, the information owner might just say, “Keep people from stealing our data!”

Understanding the nature of the different potential threats is an essential piece of Risk Assessment and can, quite often, provide the quickest path to effective risk reduction, even in the absence of good data about frequency or impact. Also, by understanding the motivations of the loss cases, it becomes much easier to adequately assess likelihood. I say “adequately” because, despite the efforts of people like Chris Walsh, we simply lack good data on the true likelihood or impact of any but the least interesting (i.e. those where the security can be operationalized) attacks.

* These gaps would seem like obvious opportunities for the security products industry to step up, but we continue to see little progress in the secure & usable product space.
** Yes, I sound like the not-hip-but-trying-to-be-hip-guy here, but that’s just life sometimes. I’m used to it.

I would like to join those congratulating and thanking Alex Hutton, Jack Jones, and all the rest of the folks over at RiskAnalys.is for releasing their FAIR framework under the Creative Commons license.

One of the concerns I’ve heard people raise about FAIR was its status as Intellectual Property. By removing that concern, I think that they’re doing not only the risk management community but themselves a big favor.

Having seen the bureaucratic absurdity that using proprietary standards *cough*ISO17799*cough* can cause while living under ISO as our security standard (or “ISO Plus” as we referred to our tailored version internally), we had pretty much this exact same conversation every time we signed any sort of outsourcing agreement (and we signed a LOT of them):

Us: “Under the terms of our agreement, you must abide by our security standards document.”

Them: “Great. Just send us a copy so we can see if there’s anything in there we can’t live with.”

Us: “It’s ISO17799, with some tailoring we’ve done in-house.”

Them: “Great. Just send us a copy and we’ll review it ASAP.”

Us: “We can’t.”

Them: ???

Us: “We can’t. You need to buy a license to it from ISO.”

Them: “OK…”

Us: “Let us know when you’ve got a license and we’ll send a copy right over.”

Them: “But we need to get this contract signed this week.”

Us: “Then just trust us…”

For real.

At the risk (pardon the pun) of transforming myself from an Information and IT Risk Blog into a Traffic Risk Blog, I’m bringing you this bit of research about SUV drivers’ risk perception. I’ve mentioned risk homeostasis before (in, of course, another traffic-related post).

They found that SUV drivers were 55 per cent more likely to drive with only one hand on the top half of the wheel than drivers of regular cars (Transportation Research F, DOI: 10.1016/j.trf.2006.10.001). “Being in larger, taller vehicles, SUV drivers believe they are safer and possess a lower level of perceived risk than car drivers,” says Thomas.

Steve Dethick of DriveTech, a driver training school in Crowthorne, UK, believes that an SUV’s size is the main problem. “It lulls drivers into a false sense of security that they will survive an impact,” he says.

I dug around on the NHTSA Web site and found a presentation about a study which sought to answer the question, “Why does the data indicate that SUVs are not safer than passenger cars?”

The initial instinct might be to say it’s because any inherent risk reduction related to the size of the SUV is offset by its increased likelihood to roll over combined with increased risk homeostasis on the part of the driver, but I think there’s more to it than that.

I think that it’s a combination of self-selecting populations–people who are confident in their driving ability as a accident risk strategy is avoidance (may or may not be true, but work with me here–see my next point) or who enjoy the act of driving tend, if given a choice, to drive sports car or sport sedan which plays to that interest. People drive SUV’s either because they’re hauling people (aka “distractions” and things) around or because their accident risk strategy is impact mitigation (a bad assumption, as the NHTSA study demonstrates).

Regardless of the real underlying reason, this is yet another example of bad inputs to people’s subconscious risk management strategies producing poor decisions. When managing risk, the quality of the data we base our decisions on can have dramatic impacts.

California has now outlawed “trunking,” the act of voluntarily riding in the trunk of a car.

And why does he do it? Well, ironically perhaps, it’s to try to get around another law, passed almost a decade ago, that was designed to make driving and riding in cars less deadly for teenagers.

Since 1998, new California drivers under age 18 generally have been barred from having other teens in the car with them while they drive; currently that restriction extends for their first full year of driving. The idea was that this would protect new teen drivers from the inevitable goofing and goading of their pals, and would protect their pals from riding as passengers in cars driven by inexperienced drivers.

And the results of the new rules have been dramatic. In the first two years, fatal and injury collisions caused by 16-year-old drivers dropped 24 percent, and teen passenger deaths and injuries in crashes caused by 16-year-old drivers declined by 40 percent.

But of course, some teenagers simply can’t do the math. So if they want to ride in a car with a buddy who isn’t yet allowed to have teenage passengers in the car – say, for example, if they are the 16-year-old boyfriend of a La Habra girl named Jennifer who wants to cruise for pizza in his 16-year-old best friend’s Toyota – they simply stash themselves in the trunk where the cops can’t see them. And off they go.

When I was still in my young-and-stupid, I’m sure we would have reacted similarly to the 1998 law (as opposed to my current stage of old-and-stupid when I do things like buy a boat).

It’s not that teenagers can’t do the math, it’s that the law banning passengers of under-18 drivers is, in their eyes, damage to their social lives which they must route around. Trunking is an acceptable risk in their eyes, and despite the columnist’s outrage, they’re probably right:

“the California Highway Patrol reports that since 2000 there have been 140 injuries and nine fatalities involving people riding in “unauthorized” places in vehicles, trunks included.”

That’s only 1.5 deaths and about 22 injuries per year. In most teen’s eyes, they probably think they’re accepting more risk than that just going to school every day.

How often do you we think about the End of the World? I’m not talking about the REM Song, but rather Existential Risks.

For example, while it’s now a few years old (published 2001), I’ve never seen Nick Bostrom’s paper on existential risks before. The abstract states

Because of accelerating technological progress, humankind may be rapidly approaching a critical phase in its career. In addition to well-known threats such as nuclear holocaust, the prospects of radically transforming technologies like nanotech systems and machine intelligence present us with unprecedented opportunities and risks. Our future, and whether we will have a future at all, may well be determined by how we deal with these challenges. In the case of radically transforming technologies, a better understanding of the transition dynamics from a human to a “posthuman” society is needed. Of particular importance is to know where the pitfalls are: the ways in which things could go terminally wrong. While we have had long exposure to various personal, local, and endurable global hazards, this paper analyzes a recently emerging category: that of existential risks. These are threats that could cause our extinction or destroy the potential of Earth-originating intelligent life. Some of these threats are relatively well known while others, including some of the gravest, have gone almost unrecognized. Existential risks have a cluster of features that make ordinary risk management ineffective. A final section of this paper discusses several ethical and policy implications. A clearer understanding of the threat picture will enable us to formulate better strategies.

He raises some interesting points which can be reasonably extrapolated onto different populations, such as corporate entities. What are the events that could cause your enterprise to cease to exist? How likely are they to occur, and what, if anything, can or should you be doing to mitigate them?

Section 9 is probably the most interesting section of the paper to me–it looks at the challenges related to comprehension, spreading awareness, and actually attempting to manage risks which are often beyond our individual control.

Of course, if that wasn’t enough to cost me sleep, I’ve also got a list of 20 ways the world could end, half natural and half man-made waiting for my attention.

I realized the other day that Not Bad for a Cubicle turned two in December. As my family can testify, acknowledging birthdays on time is not one of my stronger points, so I’m about two weeks late on this birthday wish to myself.

A lot has changed since I first started bashing random thoughts into Wordpress and wondering if anyone but I would care. In March 2005, John Quarterman and myself were pretty much the only bloggers out there talking about Risk in the non-boardgame sense of the word, at least according to Technorati, and we apparently only had 33 posts on the subject between us.

Today, Technorati found a total of 47,001 posts about “risk management,” with more being added at a pace of over 100 per day. A lot of them are spam, but a lot of them aren’t.

So what’s changed? Has awareness of risk really grown that much over the past two years? I doubt it. From what I can tell, people are still making bad risk decisions at about the same rate as they ever have. Sure, work is being done to improve our ability to describe risk accurately enough to make good business decisions about it, but we’re still years away from from achieving even a reasonable facsimile of that goal.

In general, I think that more people are writing about risk management across different disciplines. Within the security world, in particular, FUD isn’t selling like it once did, so the spending and effort needs to be more firmly grounded in reality than in the past. In the same way that the exotic inevitably becomes mundane over time, much of what used to be “Information Security” is now just plain “Information Technology.” Throw in the commoditization of IT in general and it now takes more than just “Everybody is doing it!” or the specter of ueber-hackers to get a security budget approved.

This year, I’ve heard that I’ll be spending a lot of time doing business case development for security spending proposals. I’m looking forward to this for a number of reasons. First, it will give me a chance to put my money where my mouth is with regards to the potential benefit of risk assessment. Second, I’m hoping it will give me a chance to see first-hand how the non-IT executives react to Information Risk Management concepts. Third, I’m hoping that it will give me good material for this space going forward (assuming I don’t have to self-censor the posts out of existence).

I’ll continue to produce the rants essays on IT and Risk Management that you’ve come to know and expect, and hopefully you’ll continue to stop by. Thanks to everyone who has read, linked, and commented over the past two years. It’s been a lot of fun and it’s not over yet.

The latest salvo in the war between the Content/DRM companies and their customers cames from an anonymous hacker (in the true out-of-the-box experimenter meaning of the word) who has written a tool to back up (copy) HD DVD’s.

muselix64 wrote:

I was not aware of anyone having done that, so I did.
BackupHDDVD is a tool to decrypt a AACS protected movie that you own, so you can play it back later using
an HDDVD player software.

This is the first version, and it’s not very stable yet.

This software don’t provide any cryptographic keys, so you have to add your own keys.

AACS is based on AES-128, which is where things get interesting. While a published and reviewed cryptographic algorithm is more likely to withstand attacks on the math, what it really does is change where the attacker focuses his effort.

The attack tree for DRM is so obviously un-winnable for the defender that I wonder why the “content” industries keep betting their business on prevention/mitigation rather than exploring alternative revenue models. Are they completely clueless or really so myopic that they can’t see the futility of their efforts? Or is it because snake oil salesmen with magic bullets keep jetting in from the land of mixed metaphors to tell them it can be made all better for a suitable pile of cash (consultants) or a slice of the revenue/transaction pie (Microsoft)?

Meanwhile, back here in reality, the impossibility of the task at hand is deftly illustrated by the mere existence of the Information Security industry–companies spend billions of dollars every year trying to control information (or “content” as the movie industry would have us call it) and, to be quite honest, generally failing.

Why?

1. Too many moving parts: There is simply too much hardware, firmware, and software involved in any digital media chain to have any confidence that it will be secure
2. It’s just math: As the current method demonstrates, the DRM in HD-DVD is based on the assumption that the consumer can’t get their hands on the encryption key. This is patently absurd, since the consumer must, by definition, have the key.
3. Reproducibility : Once a work has been “freed,” it is essentially impossible to put the genie back in the bottle–anyone who cares to look can find pretty much any content they’re looking for somewhere on-line. As has been noted elsewhere, the only thing holding back HD-DVD piracy at this point is lack of bandwidth.
4. Human Nature: Anyone who has a child knows that the best way to get them do do something is to tell them not to (up to a point–even at a young age children can tell when you’re trying to trick them.). By throwing down the gauntlet of content control, the content industry challenges enough highly technical people that
5. Missing the Target: Real piracy is not performed by kids on the Internet. It’s performed by professional criminals who are making counterfeit copies of the original media, sometimes with hilariously mangled packaging. Targeting casual consumers may serve to dry up markets and kill fair-use sharing of content, but I’ll bet that the next time I’m in Beijing, I’ll be able to buy HD-DVD’s on the street for a dollar just like I can get regular DVD’s today.
6. Reproducibility, again: Once a tool has been built which to free content, it can also be freely distributed. The second bottleneck to widespread sharing, the labor involved in converting discs to shareable files, is freely provided by the consumers.

To quote my friend Bob, “Data leaks into every corner of every little place we keep electrons,” and people want to do things with their electrons. People buy (regardless of what the content “owners” would have us believe) movies and music and they expect to be able to leak those electrons wherever and however makes the most sense to them. From that perspective, deliberately breaking functionality means that the product is defective and consumers, being not entirely irrational, aren’t willing to pay for what they perceive to be a broken product (unless they have a way to “fix” it).

Thus, as the Inquirer has now branded it, the best option for consumers is, “Piracy, the better choice(TM)

THE NEXT GENERATION disk format has been settled once and for all. Thanks to the due diligence, hard work and unprecedented cooperation between the media companies, the hardware vendors and the OS vendor, we finally have a solution. It is quite easy, Piracy, the better choice(TM).