Security and risk: Brian Snow on Information Security in a .

Risk based security is incredibly popular in data security nowadays. However, this is not the just way. I listened to the episode 191 of the Risky Business Podcast. In that episode, Patrick Gray interviews Brian Snow, former NSA director. He provides some experience-based thoughts on probabilistic risk assesment (PRA) and proposes alternative approaches in Infosec:

About PRA:
- Useful in scenarios with benign players (e.

. when Nature is the threat agent)
- Useful when there is enough good solid statistical data in the figure of distributions curves and failure rates.
- The job comes when trying to mitigate:
a. high impact risks with very very low probability or
b. a smattering of low probability events with low impact that, if all of them occur in concert, the shock is huge.
- Probabilistic risk assessment does not take malice into consideration. When malice comes into play, distribution curves do not matter.
- Attackers do not use PRA as their main methodology to select targets (I would add, they take their targets based on their relevance - benefit to risk ratio - and possible economic or mental benefit).
- PRA works good for reliability in a benign environment.

Thinking outside PRA (e.g in product security)

Designing security:
- Economic terms help i.e. let's design a organization that is cheaper to produce than the attempt to blast it (this takes even decades!).
- How much (money) can the attacker devote to hit us?
- Forget studying the chance of malice-based acts, get around people in your security team thinking like the opponent. Look for the malice.
- Commercial product creators are not thought to counter malice.
- Military principles e.g. simple interfaces are needed when you counter malice.
- It takes time to design security (quick time to market is not possible).
- Will the production work under attack? This is a key question to answer.

Practising security
- Have an holistic attack team, at the project time, to systematically attack the product.
- 3 recommendations:
a. Make certain that you read the interactions among the different scenario dimensions and players. Pay more care to the interactions.
b. Once you are under attack, whom can you promise for help? Look for partnerships (especially intelligence sharing) in the industry arena, even among competitors (e.g. CERTS already do that).
c. Have some attack scenarios that you do yourself (even at design time). Think in progress and try to educate yourself against them already at design time.

Food for thought. Enjoy and endure it!
Happy June!