Thursday, August 09, 2007

Reviews on Managing Cybersecurity Resources and Security Metrics Posted

Thanks to my travel to USENIX Security this week I managed to read two great non-technial security books. just posted my four star review of Managing Cybersecurity Resources. From the review:

Managing Cybersecurity Resources (MCR) is an excellent book. I devoured it in one sitting on a weather-extended flight from Washington-Dulles to Boston. MCR teaches security professionals how to think properly about making security resource allocation decisions by properly defining terms, concepts, and models. The only problem I have with MCR is the reason I subtracted one star: its recommended strategy, cost-benefit analysis, relies upon estimated probabilities of loss and cost savings that are unavailable to practically every security manager. Without these figures, constructing cost-benefit equations as recommended by MCR is impossible in practice. Nevertheless, I still strongly recommend reading this unique and powerful book.

I heavily cite passages in Managing Cybersecurity Resources because the book makes a lot of good points. I call this more of a "book report" instead of a "review" because I recorded thoughts that I want to carry into future debates. The book has plenty to say on "security ROI" (hint: it's cost savings / loss avoidance, just like I said earlier).

They also posted my five star review of Security Metrics. From the review:

I read Security Metrics right after finishing Managing Cybersecurity Resources, a book by economists arguing that security decisions should be made using cost-benefit analysis. On the face of it, cost-benefit analysis makes perfect sense, especially given the authors' analysis. However, Security Metrics author Andy Jaquith quickly demolishes that approach (confirming the problem I had with the MCR plan). While attacking the implementation (but not the idea) of Annual Loss Expectancy for security events, Jaquith writes on p 33 "[P]ractitioners of ALE suffer from a near-complete inability to reliably estimate probabilities [of occurrence] or losses." Bingo, game over for ALE and cost-benefit analysis. It turns out the reason security managers "herd" (as mentioned in MCR) is that they have no clue what else to do; they seek safety in numbers by emulating peers and then claim that as a defense when they are breached.

Speaking of USENIX, I managed to speak with my number one wise man, Marcus Ranum. He called my Black Hat posts "too optimistic." Heh. I also managed to speak with my number two wise man, Dan Geer. He was kind enough to sign my copy of Security Metrics (along with author Andy Jaquith and Mike Rothman, who lent us his Sharpie. Nice to meet you Mike!)


Anonymous said...

"The book has plenty to say on 'security ROI' (hint: it's cost savings / loss avoidance, just like I said earlier)."


I don’t think anyone was disagreeing with you that security is primarily about cost savings/loss avoidance (I certainly wasn’t). The disagreement was about whether it is correct say that security can produce returns. Gordon and Loeb repeatedly make it clear that security can produce returns in the form of cost savings, just as you wrote in your Amazon review:

"In a similar fashion, MCR explains what a 'return' is for security on p 21..."

And just as Gordon himself said when he wrote:

"Accordingly, those who argue that you can compute an ROI for information security investments are technically correct."

And is reiterated by the fact the Gordon and Leob repeatedly refer to security as an investment, which by definition is something that has the potential to produce returns.

How do we reconcile the above position with what you wrote previously:

"The key principle to understand is that wealth preservation (saving) is not the same as wealth creation (return)."

And what Anton wrote:

The phrase "return in the form of savings," that I saw on some blog, caused my "in-house economist" to utter a completely unprintable word and then follow up with: "what an idiot! it is either return or savings!"

I don’t see how what you said earlier about return and what Gordon and Loeb are saying is consistent.

But, frankly, rehashing that debate doesn’t matter. What does matter is that information security professionals can discuss cost/benefit analysis in a correct and credible way. I think nearly everyone involved in the discussion can agree:

-Security is primarily about adding value by cutting the costs associated with security incidents.
-ROI is not a good measure of the value of security.
-We need to use financially credible models, like the Gordon-Loeb model.
-We need to focus on the bigger problem, which is finding reliable input for our financial models.

-Ryan Heffernan

Anonymous said...

I disagree with Ryan. Security is not about adding value. It's about wishing it could add value and desperately searching around for a leg to stand that case on.

Security is an expense. It always has been and always will be (especially now with legislation effectively making security a cost of compliance).

I totally understand (and sympathize) with the wish to argue that we're an "enabling technology" and a "business driver" and all that -- it sure would be nice -- but, c'mon: get real.

mjr./Marcus Ranum

Rob Lewis said...
This comment has been removed by a blog administrator.