I am slowly updating all the missing photos. I will also restructure the content a little and update it where it is required.
This will take some time and some work.
May 29
I am slowly updating all the missing photos. I will also restructure the content a little and update it where it is required.
This will take some time and some work.
May 29
At in the previous parts of this security series we have look at what it is , why we do it, and at some psychological factors such that affect the way we do it. Significantly, in part 4, I noted that:
… research has shown repeatedly, that our own experiences, and the constant exposure to bad news causes us to become bad at estimating the actual, as opposed to the imagined probability of threats coming to pass. Instead we focus our attention on, and give greater weight to, the things that we are bombarded with in news and media. Because of this we end up making fear driven decisions, resulting in a much higher or a much lower level of perceived safety, than the circumstances actually warrant …
It is this human predisposition to be driven by feelings of fear and safety and therefore to misinterpret the risks, that has produced numerous risk management frameworks and strategies. Some of these methodologies have have become standards, with set and pre-defined methodology and vocabulary of terms , in order to ensure that the same process and methodology is applied whenever different organisations undertake risk management activities.
In general the risk management framework and that associated process comprises of the following actions:
For a good example of a risk management process, is the process given in the AS/NZ standard 4630:2004 Risk Management gives the following overall process description:
1. Communicate and consult – This part of the process is concerned with communcation and consultation with the business owners and relevant stakeholders in the asset, organisation, process or system that will be subject of the risk management process. The communications are used to define context, get then necessaty information, and pass back feedback duing the risk management process.
2. Set Context – This activity is about setting collecting information avout the subject of our risk analysis and setting of the boudndries of the particular risk management activity:
3. Identify risks – This activity is about identifying what can happen in terms of “threats” to the asset, process or system and vulnerabilities found with the asset, process or system or in the environment around the subject of our analysis.
4. Analyse risks -Work out in as objective terms as possible, how likely a set of threats and vulnerabilities are to happen, what are current controls (i.e. what we do to stop it from occurring or how we mitigate the consequences), what are the consequences and the resultant risk level.
5. Evaluate risks – Evaluates the risks and ranks them according to the criteria set by the business owner and the stakeholders in the context setting phase.
6. Treat Risks – Risk treatment is generally the expensive part of the risk management process, because deploying new security controls or outsourcing risk costs a lot of money. Because of this step is usually done in consultation and negotiation with the business owner and the stakeholders for each affected system, process or asset, and generally takes the form of :
7. Monitor and Review – This is an ongoing activity that ensures that the results of our risk management activities are what we expect them to be, and in case new threats or vulnerabilities are noticed then the resulting risks are analysed, evaluated and and treated.
The critical part of the risk management process is the is the ability of the person doing the risk analysis to correctly quantify the likelihood and the consequences of the of the risk event coming to pass. This is because, as mentioned earlier, humans tend to be biased by their experiences and overall perceptions. To that end a large number of organisations often use statistical analysis.
Use of statistical data – such as actuarial tables – which hold long term statistical data about certain kinds of events such as house fires is so important to the overall risk management and its financial impact, that in some countries all insurance companies are required to provide claims and incident data to a designated 3rd party, and to use the actuarial tables produced by said 3rd party. This is done to ensure a more competitive and stable insurance industry.
Risk perception bias will necessarily arise when we attempt to derive realistic and meaningful quantitative data about a relatively new industry (or a new branch of an industry) such as web-based electronic commerce systems, for which, unlike the in case of the building or the car industry, we do not have a body of reliable information or statistical data about security issues, software flaws, or other risk factors that would allow for derivation of an actuarial style dataset on which to base our risk decisions.
May 29
So far we have discussed how to quantify the likelihood of, and the impact arising form an event. In this part I would like to pull it all together and look at how we rate and prioritise risks and also look at some common approaches to risk treatments ( risk consequence mitigation and risk occurrence prevention).
Various Risk Management standards such as the the AS/NZS and ISO Risk management standard series have prescribed risk rating methodologies. In general these methodologies rank risks using a matrix that combines a risk likelihood and risk impact to derive overall risk value. Example of such a matrix, sourced form the ISO 31000 looks a bit like this:
It is clear that for any given industry and context, industry and organisation there will be a different rating of the same event, with the same impact and frequency, based on the perceived consequences. Likewise the choice of how to treat each risk is made based on the risk management context and the overall risk appetite of the owner and the stakeholders of each business system, process or asset.
Note on Risk Appetite vs Legislation and Regulations
Organisational or personal Risk Appetite drives the risk management choices. However, there are situation in which there exists legislation or regulations which are put in place to prevent organisations from taking on more than a certain level of risk, or force us to mitigate risks in a certain way.
These sorts of regulations most commonly arise in the financial services sector, with regulations such as Basel Accord I, II and III a prime example, with force banks to maintain a certain level of in hand cleared (not debt encumbered) capital liquidity as a contingency and risk management fund which is in direct proportion to the kind of investment activity the bank engages in. Needless to say, that for some types of activity, the capital reserve requirements are very large indeed, making it quite expensive to engage in high risk behaviour.
There are several ways to treat risks, and the choice of what to do is most commonly driven by cost, regardless of the cost being expressed in terms of a terms of political or public relations cost (“We do this for the children of tomorrow!”), a reputation or customer good will cost, or a simple monetary cost, of the risk treatment put up against the likelihood and consequences of a risk event occurring. The ways in which we can deal with risks depends on the context and the stated risk appetite.
Risk treatments – also know as “security controls” come in a number of flavours and are generally described as:
It is often easier to reduce the likelihood of a risk occurring than it is to to mitigate the consequences of the event.
In general, when faced with a risk we can do one of the following things:
… “I can live with that”…
“I can live with that” should only be said, and done, in a situation where it is clear that:
are known to, communicated to, well understood and acknowledged by, the business owner and stakeholders of the business system, process or asset being managed.
This is is critical, because by accepting the risk as-is an individual or an organisation states that in their opinion there is no wish or need to spend any more time or effort on trying to prevent occurrence or mitigate the consequences the risk. By extension, such an case individual or organisation accept that there is a chance of the risk occurring, and they also accept the consequences of the event.
Reduction of likelihood (risk event avoidance) is generally easier and cheaper to achieve than risk impact minimisation. This is why there is a lot of technical controls geared around prevention, access control and compliance enforcement..
Impact reduction or elimination is expensive and hard to achieve. This is why a lot of risk and security management focuses on reduction of likelihood. However, if we cannot reduce the likelihood of an event, but want to reduce the overall risk the event represents, we can do one of three things:
Feb 22
I just got an email from ASG Group HR people telling me that in 14 days I will have completed probation at ASG Group.
Has it really been 6 months?
Jan 16
Dec 31
On this day, the last day of 2015, I am planning to relax with friends and family, have a few quiet moments of reflection and to raise a glass in toast to all those who should be here, but, for one reason or another, are not here or not with us.
Looking back, It has been a most eventful a year. 2015 was a year of much hectic effort and major events, much stress and many glorious moments. So here is the summation:
On the first day of the year:
In May I was in Peru,and I watched the sunrise at Machupicchu.
In August, after over 7 years with Unisys I put in my resignation.
In September I started with ASG Group.
Late November and December was a mad race to get work finished off. In all it was five x 60 to 70 hour weeks in a row, followed by a very relaxing trip to Tasmania
On the family front:
On the last day of 2015, I got a new phone, set it up, and got it all working, so that I can turn off my old one, as befits the occasion.
In all I am very happy with how 2015 worked out, despite all the stress and drama.
I think that 2016 is shaping up to be just as spectacular and just as good. Perhaps even better in some ways.
Dec 26
This year we went off to Tasmania over Christmas. It is a most worthwhile thing to do, as the place has long (for Australia) history and very pretty landscapes, and many good wineries and vineyards.
I will do a summing up of the year that has been in a post sometime before the New Years Eve. It is important to take stock of things.
May 07
I have been very busy with life, work and other distractions. Hopefully there will be less distractions and more life coming soon.
Jan 02
What I did on the 1st day of 2015:
All in all it was/is an eventful day. photos and blog posts to come.
Nov 08
Hi All.
http://tmciolek.id.au – aka this site is back from the ColdSleep(TM) chmaber, which was a necessary thing due to death of our previous hardware.
Lessons learnt – backups fixed, redudnt disks sourced, monitoring enabled and logged.
More about the setup and other juicy details later