Managing Information Security is Managing Uncertainty
If we have learned anything during the last 2 years, during the pandemic, it is that life is uncertain.
The world around us is only predictable, or even understandable, to a certain limit. Beyond that, events are in many cases uncertain. And we have all seen how difficult it is to make decisions under uncertainty. Measures to contain the pandemic, were taken in one week, and communicated about with confidence, explaining the necessity, only to be withdrawn or even reversed the next week. This is not wrong. Nor stupid. This is what decision making under uncertainty means: one does not know the probability of an event, not the impact of events, let alone the impact of measures. This is not wrong. This is hard.
I think that information security is about decision making under uncertainty. Information Security in 2022 is not about certain, preventable events, not even about probable events that can be managed as risks. No, information security is about fundamentally unknowable probabilities and unknowable impacts. Information security nowadays is about managing uncertainty.
Indeed, uncertainty can be managed. But it is important to understand the difference between risk and uncertainty, as the two notions require very different strategies.
An example can illustrate this. If you were given the option, to draw a ball from the first vase or from the second, which one would you choose if the first vase contains exactly 50 red balls and 50 black ones, the second vase has an unknown mix of red and black balls, and drawing a red ball means you win?
And which vase would you choose if drawing a black ball means you win? Clearly one should not choose the same strategy in both cases, but people almost always choose the first vase, with the known mix of red and black, regardless the winning condition. This is an example of Ellsberg paradox. It turns out that most people choose to draw a ball from the first vase, giving them a 50–50% chance of winning. But perhaps the second vase contains only red balls and no black balls. Or the other way round. It turns out people prefer to take chances they know, over unknown chances, even when that is not in their favour.
Risk is about events that occur with a known probability distribution and with a known impact distribution. Risk management is about implementing responses in such a way that the expected value of the impact of the risks actually manifesting themselves, is within certain pre-determined parameters, usually referred to as the “risk appetite”.
Historically, information security professionals assumed all possible events could be predicted a priori, how they would occur and when. And also what it would mean for the system they were trying to protect. And hence they would build-in countermeasures to prevent them from happening. In fact, we were trying to make all security decisions a priori and then the system would be completely secure.
Of course, sometimes systems would be compromised, sometimes systems turned out to be not secure. But in many cases this was caused by human error, mistakes made by the engineers that built the system, and therefore testing became the dominant security strategy and it worked wonders to keep security at acceptable levels, for many years. You know what I am talking about: change risk assessments, pentests and code reviews were at the center of any security strategy.
But at some point this strategy was no longer viable. Systems were more and more compromised not only due to engineering mistakes, or bugs, they were more and more compromised by motivated adversaries that specifically targeted the system. And the systems became more complicated and interconnected, in particular with the rise of the internet and internet-facing perimeters. Security professionals learned that a priori security decision making was no longer possible or realistic. They had to adopt an a posteriori decision making strategy. This meant, we had to accept breach, accept compromise and implement systems that could detect such events so that security teams could activate a response runbook.
As this meant that IT departments had to implement new security teams, which meant new investments and allocations of resources, this strategy needed a business case. And this is when risk management was introduced into the game. Could we perhaps calculate the probability of an event happening, calculate the impact of operational loss it would incur? And could we, by doing that, justify the cost of security and steer the allocation of resources ?
Risk management is a very widely used, and accepted, method in decision making. Executives in companies are used to applying it. Indeed, we can not predict the future, but at least we know the probability distribution of all possible futures, right? And yes it adds complexity to decision making, but a manageable complexity when we know the probabilities involved and surely we can find out these probabilities by simply looking at what happens around us, right?
And hence information security risk management entered our vocabulary. And, as more and more companies were adopting the 3 lines of defence risk model, security officers were confronted with the question: are you first or second line of defence? This seems an easy question right? But then, why is it that, in my experience, a third of all companies have their CISO in the 1st line, one third has the CISO positioned in the 2nd line, and one third of the companies could not make up their mind, and decided to have two CISOs, one in the 1st and one in the 2nd line!
And what about that risk appetite? Why is it that so many CISOs, including myself, have been struggling, and are struggling, to formulate a risk appetite statement that reflects them having a good night sleep?
And why is it that we can not position ourselves in the 3 lines of defence model? Is it because we still do not understand risk management? Is it because we don’t understand the 3 lines of defence model? Or is it because information security is, in its core, not about risk management at all? Or at least, the part that requires the full attention of the CISO nowadays is not about risk anymore, but about something else?
I think that information security in 2022 is not about risk management, but about uncertainty management.
It is about accepting that the future is fundamentally unpredictable and not even probabilistic. And the reason is twofold: more and more security incidents are not random events, but targeted events by highly motivated adversaries. And: the systems we try to protect have reached a level of complexity, due to interconnectedness and entanglement, that exhibits emergent chaotic behaviour that makes assessing probability or size of impact impossible. It is not that we do not know it, but we could know it if we would measure better. No, the events CISOs worry about today do not have a probability distribution.
To be clear about the definitions: any risk is an uncertainty, but not all uncertainties are risks.
And do not confuse uncertainty with tail risk. Risk managers have introduced tail risks and controls to manage them for years. Tail risks are still risks, albeit with a low probability and large impact.
Risk management gives us a sense of manageability and control. We like that control. You could argue, that risk management is a good enough approximation of uncertainty-management, just like Newtonian mechanics is an approximation of quantum mechanics. But it is not. Nowadays, approaching information security as a risk management discipline only can lead to disastrous events. Please understand that I do think risk management is an important part of information security management, but CISOs do not have the luxury to limit themselves to just that. Because focussing on risk only, is focusing only on what we know, on what happened before. Sometimes, the impact of an event is simply not knowable, as the object it impacts is too complex to oversee the resulting effects. Or the probability is zero until an adversary steps up and invents a new attack. We know that managing risk, and in particular very low probabilities, is hard, but managing uncertainty is even harder.
To understand uncertainty, a model of the world, connecting the actors, their motivations and assumptions about causal relations is needed. And a mechanism to adjust the model, via bayesian networks for example, given new inputs. Bayes provides us with a mechanism to increase knowledge with new information. Attacks do not happen randomly, attackers take very specific routes and modern CISOs already incorporate them into for example attack tree methods.
Information security needs to take into account the fact that events happen not only randomly, but also by highly motivated adversaries with a specific goal or target in mind. This means we need to take into account cause and effect and how actors influence each other. We should look beyond just counting occurrences and translate that into likelihood. Much more advanced statistical and causal models are needed. Game theoretic elements enter our domain. Resilience as a core competence, and an ability to learning. We need to accept and understand that the world is not about correlations between random variables and occurrences, but the world is built around deeply causal relationships. To manage uncertainty, CISOs should start understanding that causality as part of their efforts to reach situational awareness.
So what about security strategy? What new elements should a CISO include in his or her strategy? And how can we avoid that control frameworks get ever more complicated (because all learning and training data are post-mitigation-effects and always lead to addition of controls)? How do we obtain an information position to allows to make good security decisions ?
This involved gathering a lot of data as part of security monitoring. We collected all that data into giant data lakes, and then we started correlating events hoping to detect meaningful changes in our environment. Amount of data was the indicator of progress.
But this is not how you manage uncertainty. As I said: our world is not about correlation but it is about causation. Data gathering always results in bias. Bias that favours events that can be easily observed over events that are hard to see (observer bias), twisting probability distributions. Therefore CISOs should understand the bias in their data. And then CISOs should define a sensor-placement strategy and a sampling-strategy to manage the bias. CISOs should understand that the world is not random, but deeply driven by causality, not correlation. Therefore CISO should be using causal graphs and adversary intel, and build models of the world that highlight confounding variables, to make sure you capture the right information at the right sampling rate to avoid bias and aliasing effects in your data sets.
These are complex notions, and maybe new to information security professionals, but these are well defined and pretty well understood. We must apply them. And combine them with a continuous focus on expecting the unknown to happen.
The quality of your causal graphs, the amount of bias and the coverage of your sensors, the outcomes of continuous red- and blue-team exercises and high quality intelligence about the world (and increasingly the geo-politics in cyberspace): next to the status of risk control framework, these are the new ways of articulating a security posture.
CISOs have already evolved from dataroom to boardroom functions. And on that journey, the skillset required changed as well: from technology leaders to business leaders. We had to learn other skills, like communication to non-professionals, convince decision makers about our investments and resource allocations. But now CISOs must also be able to include learnings and concepts from other sciences as well: decision making, statistics, game theory, resiliency, psychology and life sciences. Two years ago I introduced the notion of CISO Universalis, and now is the time to grow up. We need to know many subjects and be willing to combine them into our strategies as business leaders. This means we often have to take the hard approach, do the difficult thing. It is time that defenders embrace difficulty and the unknown and the uncertain. Our adversaries have done that forever.
Information security is not about the probability of majority decision making, but it is about the minute particularity of a motivated minority.
That is why risk management practices are such a bad fit with information security: information security is not about managing risk, it is about managing uncertainty.
This blog is based on a keynote the author gave at the KPN NLSecure[id]conference in 2021.