A Dike and Three Dutch Boys...is this enough?
...Applying a triad methodology for risk management.
Similar to the Dutch boys and their dike, securing the barrier between your IT infrastructure and the rest of the world, rely primarily on:
- Plugging the known holes.
- Posturing to plug holes based on historical data and not overreacting to an acute event.
- Making educated guesses where to reinforce the infrastructure to minimize potential risk.
Risk awareness and risk analysis has become a central force in all aspects of information assurance and IT security yet our current treatment of risk continues to be ad hoc and reactive rather than rigorously considered.
There are three profound issues that we must resolve if we are to sustain a meaningful, credible and constructive campaign for better risk management. First, we have to drop the absurd notion of rational economic decision makers minimizing risk. Thinking Fast and Slow is the most contemporary catalog of modern psychology that proves that people do not behave the way economic models suggest they would or should.
Second, we have to think about data in a vast macro framework and stop letting limited samples and short time horizons set out thinking. Really, ask yourself how many 100-year cycles have been recorded for the river nearest you? If we’re trying to statistically study cycles of up to 100 years, each 100 years is a single observation from which no meaningful statistical inferences should be drawn.
Third, risk is about potential losses. While we look at rare events with big losses as serious threats, the trillions of dollars lost annually are more likely to go to fraud than any other single addressable source. So, it seems that as security professionals and as risk managers we might want to spend more time and energy understanding the what, where, when and why of fraud.
According to Thompson Reuters the U.S. health care system alone wastes between $505 billion and $850 billion every year. That’s just the tip of a complex range of crimes that have changed and evolved with the advent of new tools and technologies.
Sticking with the theme of threes – here are three profound changes technology has made to the nature of fraud:
- Today’s technology greatly expands reach. Bad guys from across the globe can initiate fraud attacks from afar exposing us all to threats that used to be constrained by limiting physical access. The remote corporate campus isn’t remote anymore.
- Attacks can be scaled using technology. A recent Medicare fraud network was generating thousands of false claims aided by online claims entries. Another great example was the global synchronized attack on ATMs where the compromised cards were used at hundreds of machines across continents so even as the bank’s control systems quickly responded it wasn’t fast enough or coordinated enough.
- Technology blurs the line between insider and outsider as modern attacks often target the credentials of insiders giving outsiders the advantage of an insider as they organize and mount their exploits.
So, to complete the triads, we have three sets of threes. Our last trio to be examined should therefore be - what we should be doing about fraud:
- Treat fraud as a central and integral component of your risk management. It’s far more damaging than most cyber-security professionals think.
- When you start talking about fraud you’ll find a whole new professional community to interact with – fraud examiners and/or auditors, law enforcement, etc.
- Engage your fraud folks. Check out the professional associations. Read and track fraud in your industry.
Finally, add it to your existing triad – it’s too limiting to keep talking about confidentiality, integrity and availability. While these are good abstractions, when we get into risk management we think about the source or the treat agent. What can we learn about their motives and intentions to understand their likely behavior.
Looking at fraud is a great 4th dimension to consider.
- KWK