Prospect Theory

Posted Sep 26, 2014 23:41 UTC (Fri) by dlang (guest, #313)
In reply to: Prospect Theory by raven667
Parent article: Schneier on incident response

The problem with this approach is in trying to quantify the risk. There are a lot of things that can happen, which are more likely than others varies over time (what gets publicity, what tools do the script kiddies have, who is targeting you, etc)

If you try to evaluate everything on a scale of 1-5, you end up with a lot of low-risk items being considered equivalent.

It's a good idea in theory, but in practice it doesn't help much.

Prospect Theory

Posted Sep 27, 2014 2:04 UTC (Sat) by raven667 (subscriber, #5198) [Link] (5 responses)

In practice you have a limited budget of time and money so being able to prioritize your security spending based on risk is of value, especially in a large organization where the person approving the expenditure of resources is not likely to have any real understanding of what they are approving.

Prospect Theory

Posted Sep 27, 2014 2:17 UTC (Sat) by dlang (guest, #313) [Link] (4 responses)

I absolutely agree with you on the need to prioritize spending.

I'm just saying that evaluating the risk on a scale of 1-5 really doesn't help much. There are too many possible problems and the probability that they will be exploited and the result of that exploit are not known well enough to reduce it to a simple number.

You can reduce it to a number, but in doing so, the person producing the number is really the one making the decision. If they decide that it was a high risk the "decision maker" will approve it, if they decide it's a low risk the "decision maker" will not approve it.

So this approach is great for justifying things, but poor for actually deciding things.

Prospect Theory

Posted Sep 27, 2014 2:55 UTC (Sat) by raven667 (subscriber, #5198) [Link] (3 responses)

But you aren't setting the score for the risk, that't the product, you are scoring on likelihood, which is maybe the most subjective, and impact which is easier to quantify. You are right in that the person assessing the likelihood could just make stuff up and corrupt the process but the impact is something that should have more collaboration with the business people and can be much more quantitative. If you evaluate honestly, and don't just try to screw the finance department into buying you the new shiny security toy, then you might find some benefit otherwise GIGO.

This isn't about correctly guessing that next week someone is going to find a critical bug in bash that turns your world upside down, even with HIPPA you aren't held to that kind of standard, reasonable and prudent measures, which are highly subjective, are the standard, this is about constraining your problem space in a general way so that you aren't spasticly trying to fix all the possible problems, wasting weeks and months of effort on minutia that doesn't matter, driving yourself insane with stress while doing it.

Even after all your effort, someone might still break into your stuff, that's just the risk you take being on the Internet.

Prospect Theory

Posted Sep 27, 2014 4:35 UTC (Sat) by dlang (guest, #313) [Link] (2 responses)

The problem is that for a very large percentage or issues, the likelihood is what determines the risk.

The Impact of the risk can always end up being "your systems or 0wned" (see the recent example of a 1 byte overflow that Google programmers used to get total control of a system)

so everything boils down to guessing right on the likelihood of the risk to generate the resulting risk.

Or, if you are trying to guess the impact of an unknown exploit, you now have two randomly picked numbers that you are multiplying together to evaluate the risk.

It's not that hard to look at several items and rank them in what you think is the order of likelihood and impact, where you fail is when you try to quantify that issue A is 4x as likely as issue B

Prospect Theory

Posted Sep 27, 2014 17:44 UTC (Sat) by raven667 (subscriber, #5198) [Link] (1 responses)

As I said before, the likelihood is the most subjective number, but you aren't held to the impossible standard of accurately predicting the future, only that you make a reasonable effort, so you aren't expected to predict Shellshock and that kind of likelihood would probably rank low. What's the likelihood of a laptop getting stolen, or an unforseen 0-day or a bug in your internal web app (which depends on what kind of security practices your developers engage in).

Having your systems get owned is part of the impact but it isn't the whole impact in itself, what's more important is what happens if a particular system gets owned, does the application have access to personally identifiable information, what's the cost if that gets exposed. There is a difference between spending time to do incident response, wipe and reinstall (low impact) and business-ending legal action (severe impact).

These values may be subjective but they aren't random, you set up guidelines on how you score based on what is important to your organization. The scores can also help focus effort and let you know what good enough is so you can stop trying to be perfect and move on to the next need.

Prospect Theory

Posted Oct 5, 2014 18:55 UTC (Sun) by Wol (subscriber, #4433) [Link]

When I first saw this, saying to score the risk, and the impact, on scores of 1-5, it was pointed out that for high risk/high impact threat, it had the same effect whether you reduced the risk, or the impact. My immediate reaction was that you would get a far better crude approximation by multiplying the risk by the impact squared.

After all, doesn't it stand to reason :-) that reducing the *impact* of a breach is a far better (and more easily quantifiable) use of scarce resources than trying to reduce the risk of a breach.

Cheers,
Wol