security risk metrics or how i learned to love fear and uncertainty 11/22/11 carl s. young...
TRANSCRIPT
![Page 1: Security Risk Metrics or How I Learned to Love Fear and Uncertainty 11/22/11 Carl S. Young cyoung@strozfriedberg.com (212) 766-6004](https://reader035.vdocuments.net/reader035/viewer/2022062718/56649eb15503460f94bb6c1e/html5/thumbnails/1.jpg)
Security Risk Metricsor
How I Learned to Love Fear and Uncertainty
11/22/11
Carl S. [email protected]
(212) 766-6004
![Page 2: Security Risk Metrics or How I Learned to Love Fear and Uncertainty 11/22/11 Carl S. Young cyoung@strozfriedberg.com (212) 766-6004](https://reader035.vdocuments.net/reader035/viewer/2022062718/56649eb15503460f94bb6c1e/html5/thumbnails/2.jpg)
Security Risk Management:Intuition Versus Analytics
2
![Page 3: Security Risk Metrics or How I Learned to Love Fear and Uncertainty 11/22/11 Carl S. Young cyoung@strozfriedberg.com (212) 766-6004](https://reader035.vdocuments.net/reader035/viewer/2022062718/56649eb15503460f94bb6c1e/html5/thumbnails/3.jpg)
Failed Intuition or Miscalculation?
3
![Page 4: Security Risk Metrics or How I Learned to Love Fear and Uncertainty 11/22/11 Carl S. Young cyoung@strozfriedberg.com (212) 766-6004](https://reader035.vdocuments.net/reader035/viewer/2022062718/56649eb15503460f94bb6c1e/html5/thumbnails/4.jpg)
The Fundamentals:Threats and Risk
4
![Page 5: Security Risk Metrics or How I Learned to Love Fear and Uncertainty 11/22/11 Carl S. Young cyoung@strozfriedberg.com (212) 766-6004](https://reader035.vdocuments.net/reader035/viewer/2022062718/56649eb15503460f94bb6c1e/html5/thumbnails/5.jpg)
Threats!
5
![Page 6: Security Risk Metrics or How I Learned to Love Fear and Uncertainty 11/22/11 Carl S. Young cyoung@strozfriedberg.com (212) 766-6004](https://reader035.vdocuments.net/reader035/viewer/2022062718/56649eb15503460f94bb6c1e/html5/thumbnails/6.jpg)
Threats?
6
![Page 7: Security Risk Metrics or How I Learned to Love Fear and Uncertainty 11/22/11 Carl S. Young cyoung@strozfriedberg.com (212) 766-6004](https://reader035.vdocuments.net/reader035/viewer/2022062718/56649eb15503460f94bb6c1e/html5/thumbnails/7.jpg)
Threats
• Threats cause harm or loss• Threats make you “worse off”• Threats are contextual…what does THAT mean?
7
![Page 8: Security Risk Metrics or How I Learned to Love Fear and Uncertainty 11/22/11 Carl S. Young cyoung@strozfriedberg.com (212) 766-6004](https://reader035.vdocuments.net/reader035/viewer/2022062718/56649eb15503460f94bb6c1e/html5/thumbnails/8.jpg)
Risk
• Risk is an inherent property of threats• Risk is what makes a threat threatening• If there is no risk then there is no threat
(and vice versa)• There is also no need for security consultants!
8
![Page 9: Security Risk Metrics or How I Learned to Love Fear and Uncertainty 11/22/11 Carl S. Young cyoung@strozfriedberg.com (212) 766-6004](https://reader035.vdocuments.net/reader035/viewer/2022062718/56649eb15503460f94bb6c1e/html5/thumbnails/9.jpg)
The Components of Risk
Three components of risk: 1) impact (importance) 2) likelihood (probability or potential) 3) vulnerability (exposure to loss/harm)
9
![Page 10: Security Risk Metrics or How I Learned to Love Fear and Uncertainty 11/22/11 Carl S. Young cyoung@strozfriedberg.com (212) 766-6004](https://reader035.vdocuments.net/reader035/viewer/2022062718/56649eb15503460f94bb6c1e/html5/thumbnails/10.jpg)
The Fundamental Expression of Risk
10
Risk (threat) = Likelihood x Vulnerability x Impact
![Page 11: Security Risk Metrics or How I Learned to Love Fear and Uncertainty 11/22/11 Carl S. Young cyoung@strozfriedberg.com (212) 766-6004](https://reader035.vdocuments.net/reader035/viewer/2022062718/56649eb15503460f94bb6c1e/html5/thumbnails/11.jpg)
The Vulnerability Component of Risk:
Understanding the Threat
11
![Page 12: Security Risk Metrics or How I Learned to Love Fear and Uncertainty 11/22/11 Carl S. Young cyoung@strozfriedberg.com (212) 766-6004](https://reader035.vdocuments.net/reader035/viewer/2022062718/56649eb15503460f94bb6c1e/html5/thumbnails/12.jpg)
The Vulnerability Component of Risk
• Recall threats are contextual• Why? Component of risk can vary with each
scenario• Must be precise in characterizing the threat and
associated risk • Example: “Terrorism”. Timothy McVeigh
(Oklahoma City bomber) versus Charles Whitman (University of Texas sniper)?
• What about risk mitigation?
12
![Page 13: Security Risk Metrics or How I Learned to Love Fear and Uncertainty 11/22/11 Carl S. Young cyoung@strozfriedberg.com (212) 766-6004](https://reader035.vdocuments.net/reader035/viewer/2022062718/56649eb15503460f94bb6c1e/html5/thumbnails/13.jpg)
Example: The Threat of Electrocution from Lightning
13
versus
Electrocution Scenario 1 Electrocution Scenario 2
![Page 14: Security Risk Metrics or How I Learned to Love Fear and Uncertainty 11/22/11 Carl S. Young cyoung@strozfriedberg.com (212) 766-6004](https://reader035.vdocuments.net/reader035/viewer/2022062718/56649eb15503460f94bb6c1e/html5/thumbnails/14.jpg)
Lightning and the Vulnerability Component of Risk
• The vulnerability component of risk for each scenario is different
• Scenario 1: your body acts as an electrical conductor between the cloud and the earth…you’ve got a problem
• Scenario 2: the charges distribute themselves around the car’s metal surface…you’re probably ok
14
![Page 15: Security Risk Metrics or How I Learned to Love Fear and Uncertainty 11/22/11 Carl S. Young cyoung@strozfriedberg.com (212) 766-6004](https://reader035.vdocuments.net/reader035/viewer/2022062718/56649eb15503460f94bb6c1e/html5/thumbnails/15.jpg)
The Likelihood Component of Risk:Predicting the Future
15
![Page 16: Security Risk Metrics or How I Learned to Love Fear and Uncertainty 11/22/11 Carl S. Young cyoung@strozfriedberg.com (212) 766-6004](https://reader035.vdocuments.net/reader035/viewer/2022062718/56649eb15503460f94bb6c1e/html5/thumbnails/16.jpg)
Likelihood Component of Risk:Tools of the Trade
• Some security incidents do occur at random 1) Nuclear disintegrations of radioisotopes
2) Security equipment failures Certain threat scenarios are relatively stable over
time Standard statistical distribution apply
(e.g., Poisson, Normal, Binomial) Specify mean and uncertainty in the mean (i.e.,
standard deviation)
16
![Page 17: Security Risk Metrics or How I Learned to Love Fear and Uncertainty 11/22/11 Carl S. Young cyoung@strozfriedberg.com (212) 766-6004](https://reader035.vdocuments.net/reader035/viewer/2022062718/56649eb15503460f94bb6c1e/html5/thumbnails/17.jpg)
Likelihood or Potential?
• Is it ok to estimate the likelihood of future incidents based on previous incidents?
• Yes, if conditions remain relatively stable* • OR the incidents occur at random• Otherwise it is more precise to speak of
‘potential’ for incident occurrence
17* The rate of incident occurrence >> change in influencing conditions.
![Page 18: Security Risk Metrics or How I Learned to Love Fear and Uncertainty 11/22/11 Carl S. Young cyoung@strozfriedberg.com (212) 766-6004](https://reader035.vdocuments.net/reader035/viewer/2022062718/56649eb15503460f94bb6c1e/html5/thumbnails/18.jpg)
What is Security Risk Management Really All About?
• Educated trade-offs between the components of risk for each impactful threat
• Such trade-offs form the basis for a security risk management strategy
• Risk component trade-offs are what security directors are paid to do!
18
![Page 19: Security Risk Metrics or How I Learned to Love Fear and Uncertainty 11/22/11 Carl S. Young cyoung@strozfriedberg.com (212) 766-6004](https://reader035.vdocuments.net/reader035/viewer/2022062718/56649eb15503460f94bb6c1e/html5/thumbnails/19.jpg)
Security Director Fantasy Job Advertisement
19
A US-based international corporation is seeking qualified candidates to apply for the position of Global Security Director with responsibilities and compensation as follows:
1) Make educated trade-offs regarding the components of risk for each impactful security threat
2) Design and implement culturally acceptable and cost-effective security solutions based on the aforementioned trade-offs
(i.e., develop a security risk management strategy) 3) Effectively communicate security risk to all levels of the organization 4) Salary: ~ $1M/per annum* * Welcome to MY fantasy
![Page 20: Security Risk Metrics or How I Learned to Love Fear and Uncertainty 11/22/11 Carl S. Young cyoung@strozfriedberg.com (212) 766-6004](https://reader035.vdocuments.net/reader035/viewer/2022062718/56649eb15503460f94bb6c1e/html5/thumbnails/20.jpg)
It’s Not So Easy: The Security Risk Management Conundrum
• Security risk management is inherently defensive• Does a low number of security incidents mean
there is an effective security strategy in place?• Perhaps you’ve just been lucky or the bad guys
are indifferent
20
![Page 21: Security Risk Metrics or How I Learned to Love Fear and Uncertainty 11/22/11 Carl S. Young cyoung@strozfriedberg.com (212) 766-6004](https://reader035.vdocuments.net/reader035/viewer/2022062718/56649eb15503460f94bb6c1e/html5/thumbnails/21.jpg)
Effective Risk Management?
21
![Page 22: Security Risk Metrics or How I Learned to Love Fear and Uncertainty 11/22/11 Carl S. Young cyoung@strozfriedberg.com (212) 766-6004](https://reader035.vdocuments.net/reader035/viewer/2022062718/56649eb15503460f94bb6c1e/html5/thumbnails/22.jpg)
And Security Risk Management is a Zero Sum Game…Finite Resources
22
PropertyTheft
Terrorism Physical Assaults
InformationTheft/Insiders
![Page 23: Security Risk Metrics or How I Learned to Love Fear and Uncertainty 11/22/11 Carl S. Young cyoung@strozfriedberg.com (212) 766-6004](https://reader035.vdocuments.net/reader035/viewer/2022062718/56649eb15503460f94bb6c1e/html5/thumbnails/23.jpg)
Measuring The Vulnerability Component of Risk:
Coping with Fear
23
![Page 24: Security Risk Metrics or How I Learned to Love Fear and Uncertainty 11/22/11 Carl S. Young cyoung@strozfriedberg.com (212) 766-6004](https://reader035.vdocuments.net/reader035/viewer/2022062718/56649eb15503460f94bb6c1e/html5/thumbnails/24.jpg)
Security Risk Measurements
• How can you measure the risk associated with security threats if there is a low number of incidents?
• Measure risk indirectly by measuring a risk factor rather than instances of the threat itself
24
![Page 25: Security Risk Metrics or How I Learned to Love Fear and Uncertainty 11/22/11 Carl S. Young cyoung@strozfriedberg.com (212) 766-6004](https://reader035.vdocuments.net/reader035/viewer/2022062718/56649eb15503460f94bb6c1e/html5/thumbnails/25.jpg)
Identifying Risk Factors
• Risk factors are characteristics or properties of a threat that enhance a component of risk
• Threat = tropical diseases. Risk factor = travel to tropical climates
• Threat = shark attacks. Risk factor = swimming in the ocean
• Threat = leukemia. Risk factor = exposure to radioactive material
• Threat = car accident. Risk factor = teenage drivers
25
![Page 26: Security Risk Metrics or How I Learned to Love Fear and Uncertainty 11/22/11 Carl S. Young cyoung@strozfriedberg.com (212) 766-6004](https://reader035.vdocuments.net/reader035/viewer/2022062718/56649eb15503460f94bb6c1e/html5/thumbnails/26.jpg)
Physical Threats
• Physical quantities (e.g., vapor concentration, overpressure, signal intensity) associated with physical threats
• These quantities often scale with parameters of distance or time
• Can estimate limits on “safe” separation distances, exposure times, et al.
• Thereby establish risk metrics and mitigation strategies
26
![Page 27: Security Risk Metrics or How I Learned to Love Fear and Uncertainty 11/22/11 Carl S. Young cyoung@strozfriedberg.com (212) 766-6004](https://reader035.vdocuments.net/reader035/viewer/2022062718/56649eb15503460f94bb6c1e/html5/thumbnails/27.jpg)
Example: Vehicle-Borne Explosive Threat
• Overpressure and impulse determine building damage
• Expressions scale with distance and explosive payload (limited by vehicle capacity)
• Estimate “safe” distances and payloads (risk factors) to yield risk metrics and inform mitigation strategy
27
![Page 28: Security Risk Metrics or How I Learned to Love Fear and Uncertainty 11/22/11 Carl S. Young cyoung@strozfriedberg.com (212) 766-6004](https://reader035.vdocuments.net/reader035/viewer/2022062718/56649eb15503460f94bb6c1e/html5/thumbnails/28.jpg)
Explosive Threats: Effect of Distance and Payload on Risk Factors
28
0
200
400
600
800
1000
1200
1400
1600
1800
0 10 100 1000 10000 50000
NET EXPLOSIVE WEIGHT (lbs-TNT)
DIS
TA
NC
E (
fee
t)
Total Destruction
Failure of Concrete Walls
Minor Building Damage
Window Glass Breakage/Some Minor
Building Damage
![Page 29: Security Risk Metrics or How I Learned to Love Fear and Uncertainty 11/22/11 Carl S. Young cyoung@strozfriedberg.com (212) 766-6004](https://reader035.vdocuments.net/reader035/viewer/2022062718/56649eb15503460f94bb6c1e/html5/thumbnails/29.jpg)
Example: Internal Contamination from External Chemical Vapor Threats
• The percentage of contaminated room air as a function of time is given by a simple first order differential equation
• The solution is the exponential function, C = C0eRt
• Calculation of the time, t, knowing, the rate of air exchange across the facade, R, yields a risk metric
• Shelter-in-place as a mitigation strategy?
29
![Page 30: Security Risk Metrics or How I Learned to Love Fear and Uncertainty 11/22/11 Carl S. Young cyoung@strozfriedberg.com (212) 766-6004](https://reader035.vdocuments.net/reader035/viewer/2022062718/56649eb15503460f94bb6c1e/html5/thumbnails/30.jpg)
Percentage of Room Contamination as a Function of Time
30
0
100
200
300
400
500
600
0 10 20 30 40 50 60 70 80 90
Percentage of Contaminated Room Air
Min
ute
s
Leaky
Air-Tight
![Page 31: Security Risk Metrics or How I Learned to Love Fear and Uncertainty 11/22/11 Carl S. Young cyoung@strozfriedberg.com (212) 766-6004](https://reader035.vdocuments.net/reader035/viewer/2022062718/56649eb15503460f94bb6c1e/html5/thumbnails/31.jpg)
Time and Distance Risk Factors: Recurring Physical Models
• Harmonic oscillator (mass on a spring); f = -kx• Point sources of energy; Intensity ~ 1/r2
• Exponential increase or decay; rate of change with time or distance is proportional to the amount of “stuff” present
31
![Page 32: Security Risk Metrics or How I Learned to Love Fear and Uncertainty 11/22/11 Carl S. Young cyoung@strozfriedberg.com (212) 766-6004](https://reader035.vdocuments.net/reader035/viewer/2022062718/56649eb15503460f94bb6c1e/html5/thumbnails/32.jpg)
The Building as a Harmonic Oscillator:
Response to Explosive Forces
32
Time duration of explosive force (relative to the natural period of vibration) determines if overpressure or impulse dominates
![Page 33: Security Risk Metrics or How I Learned to Love Fear and Uncertainty 11/22/11 Carl S. Young cyoung@strozfriedberg.com (212) 766-6004](https://reader035.vdocuments.net/reader035/viewer/2022062718/56649eb15503460f94bb6c1e/html5/thumbnails/33.jpg)
Point Sources of Radiated Energy: Vulnerability to Radiofrequency
Interception
33
![Page 34: Security Risk Metrics or How I Learned to Love Fear and Uncertainty 11/22/11 Carl S. Young cyoung@strozfriedberg.com (212) 766-6004](https://reader035.vdocuments.net/reader035/viewer/2022062718/56649eb15503460f94bb6c1e/html5/thumbnails/34.jpg)
Exponential Decay:Radioactivity (R) of Isotopes
34
R = Roe-λt Also describes room contamination shown previously
![Page 35: Security Risk Metrics or How I Learned to Love Fear and Uncertainty 11/22/11 Carl S. Young cyoung@strozfriedberg.com (212) 766-6004](https://reader035.vdocuments.net/reader035/viewer/2022062718/56649eb15503460f94bb6c1e/html5/thumbnails/35.jpg)
What About Non-Physical Threats like Property Theft?
• Threat = theft of property in a facility• Risk factor = unauthorized physical access*• Measure the number of unauthorized entries
with existing systems; indirect measurement of risk
• Apply enhanced risk mitigation if required• Measure again after deployment of enhanced
mitigation
35
* Note! Thefts can occur courtesy of authorized individuals too. Must identify other risk factors
![Page 36: Security Risk Metrics or How I Learned to Love Fear and Uncertainty 11/22/11 Carl S. Young cyoung@strozfriedberg.com (212) 766-6004](https://reader035.vdocuments.net/reader035/viewer/2022062718/56649eb15503460f94bb6c1e/html5/thumbnails/36.jpg)
More Non-Physical Threats:Computer Virus Persistence
• Social network (e.g., e-mail) connectivity described by power law, P(k) = k-γ; so called “scale-free” distribution
• Connectivity (i.e., number of links/node), k, directly affects the probability of a virus infecting other nodes
• Network size, connectivity, and number of nodes are risk factors for computer virus persistence
36Infection Dynamics on the Internet; David B. Chang and Carl S. Young, Computers and Security, 24, 280-286 (2005)
![Page 37: Security Risk Metrics or How I Learned to Love Fear and Uncertainty 11/22/11 Carl S. Young cyoung@strozfriedberg.com (212) 766-6004](https://reader035.vdocuments.net/reader035/viewer/2022062718/56649eb15503460f94bb6c1e/html5/thumbnails/37.jpg)
Living with Uncertainty: Measuring the Likelihood
Component of Risk
37
![Page 38: Security Risk Metrics or How I Learned to Love Fear and Uncertainty 11/22/11 Carl S. Young cyoung@strozfriedberg.com (212) 766-6004](https://reader035.vdocuments.net/reader035/viewer/2022062718/56649eb15503460f94bb6c1e/html5/thumbnails/38.jpg)
Standard Deviation and Uncertainty The Certainty of Uncertainty
Randomly occurring incidents or stable scenarios-the uncertainty is characterized by the standard deviation, σ ~ √N (N = number of incidents)
Good news! We are certain about the uncertainty for random or stable incident scenarios
Establish confidence intervals for the likelihood of future incidents
38
![Page 39: Security Risk Metrics or How I Learned to Love Fear and Uncertainty 11/22/11 Carl S. Young cyoung@strozfriedberg.com (212) 766-6004](https://reader035.vdocuments.net/reader035/viewer/2022062718/56649eb15503460f94bb6c1e/html5/thumbnails/39.jpg)
Uncertainty Gives Way to Anxiety
39
You still feel uneasy about the inherent uncertainty of security risk
How can you relieve the stress?
![Page 40: Security Risk Metrics or How I Learned to Love Fear and Uncertainty 11/22/11 Carl S. Young cyoung@strozfriedberg.com (212) 766-6004](https://reader035.vdocuments.net/reader035/viewer/2022062718/56649eb15503460f94bb6c1e/html5/thumbnails/40.jpg)
Decreasing UncertaintyMore Incidents!
• N = the number of security incidents• σ = standard deviation = uncertainty in
distribution of randomly occurring incidents• Let’s say σ = N/10. σ = √N = N/10 so N = 100 • You won’t be happy unless σ = N/100• σ = √N = N/100 so N = 10,000• Do you really want more incidents to reduce
uncertainty?
40
![Page 41: Security Risk Metrics or How I Learned to Love Fear and Uncertainty 11/22/11 Carl S. Young cyoung@strozfriedberg.com (212) 766-6004](https://reader035.vdocuments.net/reader035/viewer/2022062718/56649eb15503460f94bb6c1e/html5/thumbnails/41.jpg)
Increasing UncertaintyGive the Bad Guys More Options
• You are the security director of a large company• A terrorist attack against one of your company’s
10 facilities is virtually certain • Probability of attack at a single facility is 1/10 • You recommend building 10 new facilities• Probability is now only 1/20! • See previous job advertisement for security
director opening 41
![Page 42: Security Risk Metrics or How I Learned to Love Fear and Uncertainty 11/22/11 Carl S. Young cyoung@strozfriedberg.com (212) 766-6004](https://reader035.vdocuments.net/reader035/viewer/2022062718/56649eb15503460f94bb6c1e/html5/thumbnails/42.jpg)
Uncertainty Can Be Your Friend!Increasing Noise
• You are on a secret mission and concerned about electronic surveillance by the enemy
• Assume: transmitter signal (S) and ambient noise (N) are uncorrelated and radio frequency noise is random
• Signal averaging limit = S/N = √n(S/σ); σ = the standard deviation (uncertainty) of one measurement caused by noise, n = # measurements in enemy signal averaging
• Want the enemy to have large uncertainty in his/her measurement (i.e., large σ)
42
![Page 43: Security Risk Metrics or How I Learned to Love Fear and Uncertainty 11/22/11 Carl S. Young cyoung@strozfriedberg.com (212) 766-6004](https://reader035.vdocuments.net/reader035/viewer/2022062718/56649eb15503460f94bb6c1e/html5/thumbnails/43.jpg)
Uncertainty and the Vulnerability Component of Risk*
• Overpressure and impulse cause injuries mostly via glass breakage; recall scaling with distance and explosive payload
• Characterize uncertainty in distance and payload as normal distributions
• Model window behavior as a mass on a spring• Determine the window “probability of
protection” in terms of potential distance and payload scenarios
43
* Probabilistic Estimates of Vulnerability to Explosive Overpressures and Impulses; D.B. Chang, C.S. Young, The Journal of Physical Security, Volume 4(2), 2010
![Page 44: Security Risk Metrics or How I Learned to Love Fear and Uncertainty 11/22/11 Carl S. Young cyoung@strozfriedberg.com (212) 766-6004](https://reader035.vdocuments.net/reader035/viewer/2022062718/56649eb15503460f94bb6c1e/html5/thumbnails/44.jpg)
Lessons on Uncertainty
• There is always uncertainty in measuring the likelihood component of risk
• The degree of uncertainty is known for random or stable threat scenarios
• The degree of uncertainty is unknown for all other threat scenarios
• Need to recognize which is which
44
![Page 45: Security Risk Metrics or How I Learned to Love Fear and Uncertainty 11/22/11 Carl S. Young cyoung@strozfriedberg.com (212) 766-6004](https://reader035.vdocuments.net/reader035/viewer/2022062718/56649eb15503460f94bb6c1e/html5/thumbnails/45.jpg)
Putting it All Together:A Risk Assessment and Mitigation Framework
45
![Page 46: Security Risk Metrics or How I Learned to Love Fear and Uncertainty 11/22/11 Carl S. Young cyoung@strozfriedberg.com (212) 766-6004](https://reader035.vdocuments.net/reader035/viewer/2022062718/56649eb15503460f94bb6c1e/html5/thumbnails/46.jpg)
The Risk Management Process
46
UniqueUniqueThreatThreat
CharacterizedCharacterizedbyby RiskRisk Manifested ByManifested By
Risk Risk ModelsModels
DrivesDrives MitigationMitigation UtilizesUtilizes AssessAssess--mentsments
Likelihood of Likelihood of ThreatThreat
OccurrenceOccurrence
VulnerabilityVulnerabilityto Threat to Threat
OccurrenceOccurrence
Impact ofImpact ofThreat OccurrenceThreat Occurrence
Risk Factor 1Risk Factor 1
Risk Factor 2Risk Factor 2
Risk Factor NRisk Factor N
MMEEAASSUURREESS
GeneratesGenerates
Mitigation 1Mitigation 1
Mitigation 2Mitigation 2
Mitigation NMitigation N
PerformancePerformanceCriterion/Criterion/
SpecificationsSpecifications
PerformancePerformanceCriterion/Criterion/
SpecificationsSpecifications
Performance Performance Criterion/Criterion/
SpecificationsSpecifications
BBAASSEEDD
OONN
StandardsStandardsMetricsMetricsOrganizational Tolerance for
Risk
Operational Requirements
![Page 47: Security Risk Metrics or How I Learned to Love Fear and Uncertainty 11/22/11 Carl S. Young cyoung@strozfriedberg.com (212) 766-6004](https://reader035.vdocuments.net/reader035/viewer/2022062718/56649eb15503460f94bb6c1e/html5/thumbnails/47.jpg)
Example: Visual Monitoring
• Control = visual monitoring• Method = CCTV• Operational requirement = identification-level• Current operational capability = recognition-level• Camera and monitor performance specification =
60 pixels/linear foot of the horizontal scene • Cost of upgrade to meet enhanced operational
requirement = ?• Directly relate risk to the cost of risk mitigation
47
![Page 48: Security Risk Metrics or How I Learned to Love Fear and Uncertainty 11/22/11 Carl S. Young cyoung@strozfriedberg.com (212) 766-6004](https://reader035.vdocuments.net/reader035/viewer/2022062718/56649eb15503460f94bb6c1e/html5/thumbnails/48.jpg)
Threats, Risk, Fear and Uncertainty Summary
• Threats are bad (but they’re only relatively bad) • Fear of threats is also bad (but not for security
consultants)• Directors of security manage risk by making risk
component trade-offs (but for a lot less than $1M a year!)
• Risk is inherently uncertain (but what isn’t?)• Uncertainty can be reduced (but at a price)
48