Risk and Security LLC

Risk Assessments, Training and More

This content shows Simple View

Risk Assumptions

Fireworks Ignite After Latest Airline Terrorism Incident

It was a surprise to see the biggest news on Christmas was that a Nigerian terrorist managed to get on a plane coming to Detroit from Amsterdam with some sort of explosive strapped to his leg.

AND – the alleged terrorist was on the NO-FLY LIST. Just think about this for a moment. A recent paper from the Naval Postgraduate School on Homeland Security estimated that the costs of the no-fly list, since 2002, range from approximately $300 million (a conservative estimate) to $966 million! And after spending over $300 million, the terrorist is able to get right on the plane, WITH EXPLOSIVES STRAPPED ON, and fly to the U.S.

Besides being a risk expert, I was mom who didn’t let her boys have toy guns. So imagine my shock at THINKING (to myself) that maybe we should let certain
Cleared passengers fly PACKING.

The passengers on the flight under discussion are the ones who subdued the perp, and I have a feeling that US airlines passengers would all be happy to take over their own security while flying the un-friendly skies.

Despite spending billions on patting down the grannies and business travelers along with 9 year old girls – someone can still board a plane and fly right into the U.S. with
explosives strapped on.

A simple risk formula applied to this entire passenger screening program shows that the entire TSA passenger screening program is too expensive for the results they are getting. The biggest cost waster is the idea that every single air traveler is treated exactly the same way. This is the elephant in TSA’s conference room. Every traveler is NOT the same. The most simplistic metrics show that:

1) Terrorists are more likely to be men.

2) Women over 60 are not likely to blow anything up.

3) Small children and federal employees are unlikely to be
Smuggling in explosive devices.

As the noted expert, Stephen Flynn, pointed in his book, America the Vulnerable, this policy creates huge cost, creates inefficiency and does not stop the dedicated terrorist.

Instead of being run as a gigantic stimulus program for the underemployed, TSA should sharpen it’s focus and began to start a true profiling program. A profiling program doesn’t have to target certain groups or type of individuals, but it should work towards automatically EXCLUDING the large groups of people who are unlikely to be a threat; let them opt for “cleared” status by completing a background check, and if these many individuals were automatically cleared, it would leave the TSA screeners more time to MORE RIGOROUS checks on potentially dangerous individuals, and ENSURE THAT PEOPLE ON THE NO-FLY LIST — DO NOT FLY!

Sounds obvious doesn’t it, but instead, the U.S. budget is being squandered on thousands of unnecessary screens, while the potential targets are not getting the indepth, and in-airport screenings they need to have.

These inane policies are not just indefensible – they are dangerous – and the latest incident just proves the point.



How to get Management On Board with Security Enhancements — or how to avoid cocktail party security decisions.

One of the most aggrevating issues that security people have to deal with is someone who has no security background and knows little about the current technology, who decides what should be funded based on:

1. My wife thinks cameras are an invasion of privacy.
2. My secretary like X instead of Y
3. My friend, Sam, said his company was adding
some new widget.

This applies whether you are doing corporate security or information security and it is basically having your management make an emotional decision, or what I call a “cocktail party decision” about where the security budget should be spent.

Don’t confuse them with the facts. In fact, most of this is from people who do not understand the complexities of security or the interactions of various security solutions with each other.

Last evening, I spent quite a bit of time with a client from Asia, who had a big client who couldn’t decide which solutions they wanted to implement. Should it be A or B; and how to set it up? Regionally? by Business Unit? By Subsidiary? By Sub-subsidiary?

As we discussed it, I realized that the Director in question was really avoiding having to spend any money! It wasn’t about the decision – it was sort of smoke and mirrors to avoid having to admit a lack of funding for security.

In these cases, when your organization may have had the budget trimmed, cut or slashed — it is imperative to be able to use some quantative measurement of the risk to justify the cost of the controls. Whether you have enough budget for one control, or for everything, it must always be prioritized by NEED and by RISK. By Return On Investment. What losses can we prevent or avoid if we add this specific control? How much loss are we preventing? What is our potential exposure if we do nothing?

These are the elements that need to be understood by management in order to get the right controls in place, in the right amounts, at the right time.



Fear of Risk Assessment!

Why are people INTIMIDATED by risk assessments?  Is it because they seem overwhelming with their arrays of lists and categories? (At last count – I categorized over 1.572 million combinations of the 44 asset categories, 58 threat categories, 55 vulnerability categories, 7 loss categories and 160 control categories)!

Part of the trepidation of manager tasked with a risk assessment seems to be that they are anxious about making key assumptions and assigning importance to different areas of the business or agency.  Of course, part of this is political – the risk analyst has the power to build up the importance of one part of an organization and reduce the stature of another – or EVEN AFFECT THEIR BUDGETS!! 

In practice however, it seems like the exercise of doing a risk assessment affords a level of protection which is related to how many other people actually contribute to the risk assessment results.   Using the compliance survey as a participatory measure takes the onus of absolute responsibility away from the manager and distributes it throughout the organization where it belongs.

Besides – how can one person know enough to do the entire risk assessment by their self?  They would have to be everywhere at once – in the morning, late at night, on the weekends, and also be able to channel the work of everyone from the newest tech support person to the director of the data center.   And the inclusion of a variety of individuals adds weight and power to the risk assessment.

While the analysts may be accountable for the report of potential risk, the responsibility for any action that needs to be taken is up at the C level, or with the Board.  In fact, in the FFIEC IT Handbook, they spell out, “The Board is responsible for holding senior management accountable”.  Often we have found that the actual President of a bank or credit union doesn’t always KNOW that he is going to be held responsible – this information is down another level in the organization.

The analyst should not be afraid of making assumptions in the risk assessment; auditors make assumptions all the time.  One could say that the world runs on assumptions.   So making an assumption about how long it would take to replace the personnel or web applications of a specific part of the organization is not too difficult.   Always remember that each component of the risk assessment can be vetted before with relevant management so that senior management does take the responsibility for validating the choices the analyst makes.

Personally, I advocate getting management to sign off, in writing, on the assumptions they accept, in the course of completing the risk assessment – and of course, on the final reports. There’s nothing like a signature on  piece of paper to foster a climate of accountability.

 Caroline R. Hamilton is the Founder of RiskWatch, Inc., the original top-rated risk assessment software.  Hamilton served on the NIST Model-Builder’s Workshop on Risk Management from 1988-1995 and on the National Security Agency’s Network Rating Workshop.  In addition, she was a member of the U.S. Department of Defense’s Defensive Information Warfare Risk Management Model and has worked on a variety of risk assessment and risk management groups, including the ASIS Information Technology Security Council and the IBM Data Governance Council, created by Steven Adler.  Hamilton also received the Maritime Security Council’s Distinguished Service Award and has written for a variety of books and magazines including the CSI Alert, the Computer Security Journal, the ISSA Newsletter, The HIPAA Compliance Handbook, Defense News, Security & Design, Cargo Security and many other publications.  Based in Annapolis, Maryland, Hamilton is a graduate of the University of California.




top