 |
| Operational risk management strategies use a 4 step process similar to the Observe,Orient,Decide and Act loop, invented by the late John Boyd. |
Information Security uses data collection, threat analysis, security countermeasure planning and implementation and security monitoring. In the areas of fraud and anti-money laundering the steps are Detection, Tracing, Quantification and Fraud prevention. Military Strategy uses an OODA Loop Observation, Orientation, Decision, Action
"The OODA construct was originally a theory of achieving success in air-to-air combat, developed out of Boyd's Energy-Maneuverability theory and his observations on air combat between MiGs and F-86s in Korea. Harry Hillaker (chief designer of the F-16) said of the OODA theory, "Time is the dominant parameter. The pilot who goes through the OODA cycle in the shortest time prevails because his opponent responds to actions that have already changed." John Boyd - Military Strategist
Time is the dominant parameter
The ability to quickly generate many different security countermeasure options as well as the ability to rapidly implement and shift, enables an organization to create a mismatch between attacker tactics and the organizations vulnerabilities. Instead of an organization fighting yesterday's battles with a firewall, the attacker will find himself fighting yesterday's battles with spyware.
When organizations use a checklist/compliance strategy, attackers can read the compliance standard (for example - PCI DSS 1.1 for payment card security) and attack the controls in the standard that are known to be be weak or simply to attack between the cracks where the standard has waffled (for example software application security and data leakage prevention).
However, my impression from many clients and security and compliance analysts that work with our risk assessment tool - PTA (Practical Threat Analysis); is that they perform the first two steps in a risk assessment and then stop. They collect data about vulnerable systems and analyze the risk profile ("orientation") in a risk assessment and stop short of the implementation of effective security controls.
The Decision and Action steps are often postponed due to management unwillingness to take a security leadership position (out of concern that security technology or new procedures will interfere with the operation) and due to vendor conflicts of interest with the risk assessment findings.
It is clear that the root cause of the increasing spiral of security breaches is that the attacker community moves much faster than business today.
Whether the attackers are under 30 employees who are far more hip to the latest mobile and Internet technologies than the IT department or whether hackers exploit Windows Vista vulnerabilities; I just don't see how a business can use traditional enterprise software 12-24 month implementation cycles to manage their enterprise risk.
