The New School of Information Security folks have been pushing for more quantifiable risk management for years.
I wondered about how Shostack perceives the state of IT risk management now, and whether he thinks progress is being made. Here are the highlights of what he told me:
CSO: What's the premise of New School?
Shostack: The premise is that we need to get more empirical and scientific about how we approach security. Learning more about incidents, rather than hiding them. Understanding that people are a critical part of the equation and we have to study and understand people as well as the technology.
And that there's a movement [toward more empirical security risk management] that we try to give some form to and encapsulate.
How was it received at the time?
I think there were two general things people said. One group really loved the book and picked up on the themes and said 'This is great stuff.'
The other people said 'It's great stuff but it's a pipe dream and it's never going to happen.'
There weren't a lot of people who said "This doesn't make any sense." This science stuff, testing stuff, it works; not a lot of people are going to argue with that approach. But they argued with the practicality.
And what's your perception of the landscape today? Is there a movement toward more data-based, statistically sound risk management? Or just a lot of PR noise?
I do think there's real progress. Some amazing progress. Reports like the Verizon data breach report, like the one White Hat security puts out about the state of security among their customers…. Now the people who went that route, in some cases, went through an inordinate amount of back-and-forth convincing their PR department that this was a good idea, to give away some of their data. But I know that some of this stuff really did take some inspiration from the book.
So we've got more data now, and more desire for data. And the other thing I'm super excited about is that some of the old myths about what happens after a data breach -- that your share price tumbles, that someone always gets fired -- there are still some of those, but I see progress in these ways. More people are recognizing that there are thousands of breaches. So let's [compare the data].
After the Presidential election, Nate Silver emerged in the mainstream consciousness as a champion of data and modeling and a more rigorous approach to forecasting. I liked your recent blog post, where you took the opportunity to ask "Where is the Nate Silver of information security?"
At this point, I think of my role a little bit as a provocateur. We made a set of points in the book. People nodded and said yeah that makes sense, and we're starting to see these proof points -- so my goal now is to get people to start making predictions. And see what happens.
Not with an eye toward being exactly right, yet, but with the goal of refining the predictive models and making them more accurate?
Aside from the book, what other resources would you point security pros to, in order to strengthen their analytical approach?
I've talked already about the data, the studies that are available. So let me plug someone else's book - Thinking Fast and Slow, by Daniel Kahneman, who has won the Nobel prize in economics. It's phenomenal. My copy is chock full of Post-It notes of stuff I want to get back to.
I have it right here in front of me. I said earlier that we have to understand how the decisions people make influence security. So I'm tempted to just pull out one random Post-It, and see if it applies -- here we go:
Okay, he describes an experiment he did [which tested how participants responded to messages that raised the emotional appeal of a new technology.] People who received an explanation of the tech's benefits also regarded that technology as less risky.
So that plays directly into how you think about your security training program. If you are extolling the benefits of a new technology, you are INCIDENTALLY causing people to think it's less risky. So be careful to balance the messaging so they understand the real risks [and how to use the technology correctly].
That's going to be tough to swallow for anyone trying to champion the uptake of a new technology within their organization.
You're absolutely right to say that's tough to swallow, but I would challenge you with the question: Would you prefer to simply succeed in getting your technology out there, or would you prefer to try to find a balance?
My take is, anything dealing with people is harder and more challenging than just the bits and bytes that we love in the security profession. But if you don't [balance your message], the people you are supposed to protect will be more vulnerable to phishing and other forms of attack.
We need more nuanced models for working with people. To protect them better.
Any other great resources on risk management?
Rather than saying 'Go read this, go read that,' I'd encourage people to share some of their data. So they can learn from one another.