Keeping the organization robust in a highly dynamic threat environment
Our capacity to predict will be confined to . . . general characteristics of the events to be expected and not include the capacity for predicting particular individual events. . .Yet the danger of which I want to warn is precisely the belief that in order to be accepted as scientific it is necessary to achive more. This way lies charlatanism and more. I confess that I prefer true but imperfect knowledge. . .to a pretence of exact knowledge that is likely to be false.
FRIEDRICH A. HAYEK
“The Pretence of Knoweldge,” Nobel Lecture
Modern information security models usually assume a pre-defined defensive structure of networks, systems, procedures, defenders and attackers – the properties of which usually specified by vendors (i.e. defining the problem by the solution).
The problem with such models is that, in reducing the organization to passive executives of defense rules in their firewalls, they ignore the extreme ways in which attack patterns change over time. Any security policy that is presumed optimal today is likely to be obsolete tomorrow. So – learning about changes is at the heart of day-to-day security management.
I recently started reading “Imperfect Knowledge Economics” – an extremely well written book by Roman Frydman and David Goldberg, (Princeton University Press 2007). Our best practice with clients these days is to work with them to make their business more robust to high impact data loss events as opposed to installing silver bullets to prevent events that cannot be predicted. The notion of IKE is very appealing to me for the security space, since both attackers and defenders are working from positions of imperfect understanding (most companies don’t even have the faintest idea of what data is leaking out of their network). So – here goes a first crack at what I would call IKS – imperfect knowledge security (with my apologies and appreciation to Frydman and Goldberg).
The goal of IKS (Imperfect Knowledge Security) is to help develop a more insightful approach to security management. Our approach – IKS, does not seek to explain exactly how attack patterns evolve over time. We reject current security models that relate defensive measures to precise attack patterns that have been pre-specified in security technology developed by a vendor.
IKS constructs models of aggregate outcome (value at risk, security plans, cost of security) by relating them to behavior of 4 basic threat entities (assets, threats, vulnerabilities and countermeasures). This behavior is represented mathematically using the PTA (practical threat analysis) model. IKS enables the organization to explore ways in which attackers can decide to damage the organization – and formalize the attack scenarios with “qualitative” conditions. By design, IKS models do not predict sharp changes, but they do generate qualitative implications – for example an uptick in Gmail traffic will be indicative of an organization that is vulnerable to data loss of company documents of Gmail.
Sadly, current information security models based on pre-defined attack behavior have failed miserably to predict and mitigate damage to the organization. The models and the systems they implement are flawed because they disregard a key feature of security attacks – namely that both attackers and defenders have imperfect knowledge in making their decisions.
Recognizing that our knowledge is imperfect is key to solving this problem.