Updates to the site

I am slowly updating all the missing photos. I will also restructure the content a little and update it where it is required.

This will take some time and some work.

Risk Management – Overview

Philosophy of Security, Part 5 – Risk Management – The Process

At in the previous parts of this security series we have look at what it is , why we do it, and at some psychological factors such that affect the way we do it.  Significantly, in part 4, I noted that:

…  research has  shown repeatedly,  that our own experiences, and the constant exposure to bad news causes us to become bad at estimating the actual, as opposed to the imagined probability of threats coming to pass. Instead we focus our attention on,  and give greater weight to, the things that we are bombarded with in news and media.  Because of this we end up making fear driven decisions, resulting in a much higher or a much lower level of perceived safety, than the circumstances actually warrant …

It is this human predisposition to be driven by feelings of fear and safety and therefore to misinterpret the risks, that has produced numerous risk management frameworks and strategies. Some of these methodologies have have become standards, with set and pre-defined methodology and vocabulary of terms ,  in order to ensure that  the same process and methodology is applied whenever different organisations undertake risk management activities.

In general the risk management framework and that associated process comprises of the following actions:

  • Define/Discover
  • Assess and Analyse Risks
  • Treat/Mitigate Risks
  • Watch, monitor, measure and review.

For a good example of a risk management process,  is the process given in the AS/NZ standard 4630:2004 Risk Management gives the following overall process description:

risk management process diagram

AS4630 based risk management process


1. Communicate and consult – This part of the process is concerned with communcation and consultation with the business owners and relevant stakeholders in the asset, organisation, process or system that will be subject of the risk management process.  The communications are used to define context, get then necessaty information, and pass back feedback duing the risk management process.

2. Set Context – This activity is about setting collecting information avout the subject of our risk analysis and setting of the boudndries of the particular risk management activity:

  • What systems, processes or assets will be considered
  • Who the business owner and stakeholder are
  • What are the objectives of this process
  • What are the criteria we must use as part of our risk analysis.

3. Identify risks – This activity is about identifying what can happen in terms of  “threats”  to the asset, process or system and vulnerabilities found with the asset, process or system or in the environment around the subject of our analysis. 

Assess and Analyse Risks

4. Analyse risks -Work out in as objective terms as possible, how likely a set of threats and vulnerabilities are to happen, what are current controls (i.e. what we do to stop it from occurring or how we mitigate the consequences), what are the consequences and the resultant risk level.

5. Evaluate risks – Evaluates the risks and ranks them according to the criteria set by the business owner and the stakeholders in the context setting phase.

Treat/Mitigate Risks

6. Treat Risks – Risk treatment is generally the expensive part of the risk management process, because deploying new security controls  or outsourcing risk costs a lot of money. Because of this step is usually done in consultation and negotiation with the business owner and the stakeholders for each affected system, process or asset, and generally takes the form of :

  • risk acceptance (do nothing new);
  • implementation of additional personnel (people) , technical (locks, security alarms, firewalls)  policy and procedural controls;
  • transference or outsourcing of the risk to another party (e.g change to the terms of a contract, insurance policy, etc. );

Watch, monitor, measure and review.

7. Monitor and Review – This is an ongoing activity that ensures that the results of our risk management activities are what we expect them to be, and in case new threats  or vulnerabilities are noticed then the resulting risks are analysed, evaluated and  and treated.

Some notes on risk management process.

The critical part of the risk management process is the is the ability of the person doing the risk analysis to correctly quantify the likelihood and the consequences of the of the risk event coming to pass. This is because, as mentioned earlier, humans  tend to be biased  by their experiences and overall perceptions. To that end a large number of organisations  often use statistical analysis.

Use of statistical data – such as actuarial tables  – which hold long term statistical data about certain kinds of events such as house fires is so important to the overall risk management and its financial impact, that in some countries all insurance companies are required to provide claims and incident data to a designated 3rd party, and to use the actuarial tables produced by said 3rd party. This is done to ensure a more competitive and stable insurance industry.

Risk perception bias will necessarily arise when we attempt to derive realistic and meaningful quantitative data about a relatively new industry (or a new branch of an industry) such as web-based electronic commerce systems, for which, unlike the in case of the building or the car industry, we do not have a body of reliable information or statistical data about security issues, software flaws, or  other risk factors that would allow for derivation of an actuarial style dataset on which to base our risk decisions.

Risk Rating and Treatments

Philosophy of Security, part 9 – Risk Management – Risk Rating and Treatments

So far we have discussed how to quantify the likelihood of, and the impact arising form an event. In this part I would like to pull it all together and look at how we rate and prioritise risks and also look at some common approaches to risk treatments ( risk consequence mitigation and risk occurrence prevention).

Risk Rating 

Various Risk Management standards such as the the AS/NZS and ISO Risk management standard series  have prescribed risk rating methodologies.  In general these methodologies rank risks using a matrix that combines a risk likelihood and risk impact to derive overall risk value. Example of  such a matrix, sourced form the ISO 31000 looks a bit like this:

ISO31000 based risk matrix

ISO31000 based risk matrix

It is clear that for any given industry and context, industry and organisation there will be a different rating of the same event, with the same impact and frequency, based on the perceived consequences. Likewise the choice of how to treat each risk is made based on the risk management context and the overall risk appetite of the owner and the stakeholders of each business system, process or asset.

Note on Risk Appetite vs Legislation and Regulations

Organisational or personal Risk Appetite drives the risk management choices. However,  there are situation in which there exists  legislation or regulations which are put in place to prevent organisations from taking on more than a certain level of risk, or force us to mitigate risks in a certain way.

These sorts of regulations most commonly arise in the financial services sector, with regulations such as  Basel Accord  I, II and III a prime example, with force banks to maintain a certain level of in hand cleared (not debt encumbered) capital liquidity as a contingency and risk management fund which is in direct proportion to the kind of investment activity the bank engages in. Needless to say, that for some types of activity, the capital reserve requirements are very large indeed, making it quite expensive to engage in high risk behaviour.

Risk Treatments

There are several ways to treat risks, and the choice of what to do is most commonly driven by cost, regardless of the cost being expressed in terms of a terms of political or public relations cost (“We do this for the children of tomorrow!”), a reputation or customer good will cost, or a simple monetary cost,  of the risk treatment put up against the likelihood and consequences of a risk event occurring. The ways in which we can deal with risks depends on the context and the stated risk appetite.

Risk treatments – also know as “security controls” come in a number of flavours and are generally described as:

  • physical controls: walls, separate rooms, doors, barred windows, etc – physical barriers to prevent unwanted or unauthorised access to systems and assets.
  • technical controls: things which we can use to locks, firewalls, alarms systems, anti-virus software, safes, security verification systems;
  • policy controls: laws, regulations and rules within which the organisation chooses to operate. These often come with explicitly stated consequences for breach of the policy. For example policy might state that it is not permitted form employees to share computer system credentials and that the  breach of this policy may be grounds for summary termination of employment.
  • personnel controls: background checks on employees, to ensure they do not pose an undue reputation risk or have a history of unwanted behaviour. Examples of these are a government security clearance or a police criminal background check.
  • process controls (also known as procedural controls) : these are steps inserted into process and procedures that help ensure that technical, policy, personnel and physical controls are used to full effect within a certain process. An example of this would be a person at the post office asking for photo ID before handing over an item of  Registered Mail (know as Certified Mail in some places)

It is often easier to reduce the likelihood of a risk occurring than it is to to  mitigate the consequences of the event.

In general, when faced with a risk we can do one of the following things:

1. Accept a risk

“I can live with that”

“I can live with that” should only be said, and done, in a situation where it is clear that:

  • either the fact that there is little of value that can be done to prevent or mitigate the consequences of an event (war, natural disaster, etc) ;
  • or the fact there are things we can do about both the possibility of the even occurreing  and and all the resulting impacts and consequences of the event

are known to,  communicated to, well understood and acknowledged by,  the business owner and stakeholders of the business system, process or asset being managed.

This is is critical, because by accepting the risk as-is an individual or an organisation states that in their opinion there is no wish or need to spend any more time or effort on trying to prevent occurrence or mitigate the consequences the risk.  By extension, such an  case individual or organisation accept that there is a chance of  the risk occurring, and they also accept the consequences of the event.

2. Reduce Likelihood

Reduction of likelihood (risk event avoidance) is generally easier and cheaper to achieve than risk impact minimisation. This is why there is a lot of technical controls geared around prevention, access control and compliance enforcement..

  • Access control: by controlling who (organisations and individuals) has access to a business system, process or asset we are able to reduce the chances of a risk event occurring. An example of this sort of thing is an attack surface reduction approach for an web servers, where all unnecessary processes and services are removed or hidden way from access.
  • Policy based treatments: These often provide a measure of deterrence, which reduces the likelihood of unwanted behaviour. For example a company mightn have a customer relationship management system usage  policy witch states that the system ins monitored, and that certain behaviours will lead to immediate account suspension, an investigation and a termination of employment.
  • Personnel security based treatments: only hire people who pass certain criteria for background checks for jobs in positions of that deal with large sums of money or otherwise are seen as positions of trust (teachers, child-care workers, etc.)
  • Process and Procedure based treatments: Checks and balances inserted into a process which serve to validate the process, enforce policy, and uncover non-compliance.

3. Reduce Impact

Impact reduction or elimination is expensive and hard to achieve. This is why a lot of risk and security management focuses on reduction of likelihood. However, if we cannot reduce the likelihood of an event, but want to reduce the overall risk the event represents, we can do one of three things:

  • Mitigate the actual impact – mitigate or reduce the impact and the consequences. Make the event less painful and damaging.  For example, an organisation could encrypt all data on corporate laptops and  backup tapes , so that if someone looses one of them (a large number of people leave laptops on the bus or a train), or worse yet, one of these is stolen, then the only real loss is the loss of physical property (laptop or tapes), rather than an a rather embarrassing  compromise of potentially confidential corporate data such as budgets, contract details or customer data.
  • Transfer risk –  this is where the individual or organisation making risk management decisions transfers the risk to a third party.  This often takes form of contractual damages and indemnity clauses.
  • Outsource risk – to outsource the risk we pay a third party to take the risk on. The most common form of this is the insurance, where we pay someone a small premium, so that they compensate us when something bad happens.

Nearly 6 months at ASG.

I just got an email from ASG Group HR people telling me that in 14 days I will have completed probation at ASG Group.

Has it really been 6 months?

Upgrading Apache

Notes on upgrading Apache 2.2 to 2.4

  • vhost files must have a .conf extention. Otherwisethey are ingored.
  • Config changes required as per: http://httpd.apache.org/docs/2.4/upgrading.html

Last Day of 2015

On the last day of 2015

On this day, the last day of 2015, I am planning to relax with friends and family, have a few quiet moments of reflection and to raise a glass in toast to all those who should be here, but, for one reason or another, are not here or not with us.

Looking back, It has been a most eventful a year. 2015 was a year of much hectic effort and major events, much stress and many glorious moments. So here is the summation:

Looking back at 2015

On the first day of the year:

  • I watched the sun rise over the Angkor Wat.
  • Rode an elephant at Angkor Tom.
  • Visited several other ancient Khmer temples
  • Watched an Aspara dance performance.
  • On thid day I also received some that a long time fried of mine has passed away.
  • Wrote some prose and some (questionable) poetry

In May I was in Peru,and I watched the sunrise at Machupicchu.

In August, after over 7 years with Unisys I put in my resignation.

In September I started with ASG Group.

Late November and December was a mad race to get work finished off. In all it was five x 60 to 70 hour weeks in a row, followed by a very relaxing trip to Tasmania

On the family front:

  • My Father was operated on after badly damaging disks in his lower back.
  • My Mother was operated on to remove some cancerous growths form her insides.
  • My Brother and his wife bought a town house.
  • Lindsay, Kyle and Beth also bought a town house in Banks.Lindsay and Kyle live there with their partners and some house mates.
  • I got to renovate the kitchen in the “kids place”. Did a decent job, even if I say so myself.

On the last day of 2015, I got a new phone, set it up, and got it all working, so that I can turn off my old one, as befits the occasion.

In all I am very happy with how 2015 worked out, despite all the stress and drama.

I think that 2016 is shaping up to be just as spectacular and just as good. Perhaps even better in some ways.

Christmas Travel – Tasmania.

This year we went off to Tasmania over Christmas. It is a most worthwhile thing to do, as the place has long (for Australia) history and very pretty landscapes, and many good wineries and vineyards.

I will do a summing up of the year that has been in a post sometime before the New Years Eve. It is important to take stock of things.

Alive – Very busy

I have been very busy with life, work and other distractions. Hopefully there will be less distractions and more life coming soon.

First day of 2015

What I did on the 1st day of 2015:

  • Watched the sun rise over the Angkor Wat archeological park
  • Rode on on elephant at Angkor Tom.
  • Visited several other ancient temples
  • Watched an Aspara dance performance.
  • Received some Bad News ™ that will take a few days to process.
  • Wrote some prose and some (questionable) poetry

    All in all it was/is an eventful day. photos and blog posts to come.

Back in business

Hi All.

http://tmciolek.id.au – aka this site  is back from the ColdSleep(TM) chmaber, which was a necessary thing due to death of our previous hardware.

Lessons learnt  – backups fixed, redudnt disks sourced, monitoring enabled and logged.

More about the setup and other juicy details later