New kids advance 'New School'

Do you ever get tired of hearing the same old regurgitated pap about security from the same old bald, graying old-timers (hmmm, I’d better be careful here)?

Two exciting young talents (well, young from my perspective), Adam Shostack and Andrew Stewart, have published an interesting and challenging manifesto urging information-assurance practitioners to break out of conventional thinking. They argue (and I concur) that we have to use the insights of other disciplines in formulating and implementing our security policies to cope with computer-related crime.

The New School of Information Security is an engagingly written, concise book that's suitable not only for security practitioners but also for non-technical executives and for students. It’s already being used in a course at Carnegie Mellon University and I’m considering it for a course of my own.

Like Bruce Schneier and Ross Anderson, the authors argue strongly for economic analysis of security issues as a fundamentally sound approach to resolving practical questions. The authors discuss the dreadful state of trustworthy, testable information about computer crimes.

They support the view of many practitioners that we cannot depend on quantitative risk management in the absence of reliable data. The problem of ascertainment is that we know from historical observations that some computer security breaches are not discovered until long after they occur, leading to the obvious but unanswered question of how many breaches are never discovered at all. The problem of reporting is that we also know that many discovered breaches are not reported – but again, we don't know what proportions are involved.

Surveys, the authors explain, suffer from well-known weaknesses. Not only are the measurement instruments themselves often flawed (with biased questions and zero attempt to achieve internal validation of the results) but the sampling is non-random. We never know to what extent the people responding are a representative sample of the population to which we apply the findings of the survey. Another problem with surveys is that many are sponsored by commercial organizations and they generally do not release the raw data for independent analysis. The authors strongly argue for such release in future surveys.

Without actuarial data, calculations of annualized loss expectancies are of limited use. From my perspective, they can serve well in Monte Carlo simulations for sensitivity analysis, allowing us to guess at the relative importance of various aspects of our information assurance infrastructure. However, we cannot rely on calculations based on guesswork for more than a general notion of the relative importance of protective measures.

Another aspect of today's security industry that the authors address is the insularity of our field. We have little cultural, gender and educational diversity; we could benefit from a wider range of personal and professional backgrounds. In particular, the authors argue, we need more cross-disciplinary thinking, with insights developing from experience in psychology, sociology, organizational dynamics, mathematics, physics, and engineering. Undergraduate curricula in security, they argue, tend to focus too closely on cryptology as if it were the central focus of security today. On the contrary, they argue, although cryptography underlies many of the technological tools we use in securing information, it is far from sufficient for effective implementation of security plans.

M. E. Kabay, PhD, CISSP-ISSMP, specializes in security and operations management consulting services and teaching. He is Chief Technical Officer of Adaptive Cyber Security Instruments, Inc. and Associate Professor of Information Assurance in the School of Business and Management at Norwich University. Visit his Web site for white papers and course materials.