I regularly hear questions and doubts about the term “invalid events“, which Positive Technologies uses in its rhetoric. Many opponents believe that it is not necessary to introduce new entities unnecessarily, and the already known terms “threat” and “risk” are quite enough. I would like to speculate a little on this subject.
The idea of introducing a new term is associated with a very simple idea – at the level of top management, these terms do not enter. At all. They are too technocratic, complex and incomprehensible. Let’s take for example “threat“. Violation of confidentiality, integrity, availability … Bueee. This is perfectly clear to any security officer, which cannot be said about a financial director or an operations officer. You can talk to them about risks, which is what the risk-takers talk to them, preparing sheets called “risk register“, containing hundreds of all sorts of dangers that can happen to the company. Moreover, there are dangers from completely different areas, among which there is cybersecurity. And now the CEO sits in his soft leather chair, and on the table in front of him is a sheet with hundreds of points with a bunch of fields for each risk – owner, probability, damage, priority, thresholds, residual risk, management strategy, mitigation plan, revision date and etc. And, of course, the questions begin:
- How do you calculate the probability? But what if the event has never happened yet?
- How did you calculate the damage? Did you agree with the owner?
- What is residual risk? Is it that, it turns out that the risks still remain?
Of course, a good risk taker will answer all these questions, but how many of us have these? When you mention the threat of PD leakage in a conversation with colleagues, you evaluate it probability or damage? Well, you most likely evaluate the probability equal to one (we look not in the context of “if”, but in the context of “when”). And the damage?
When you think about whether to spend money on CASCO or not, do you accurately assess the real probability / frequency of getting into an accident or theft of your car? And you most likely assess the damage at a conceptual level with a maximum limit of the cost of a car.
So why, when it comes to unacceptable events, everything is so direct and put pressure on the fact that they are not measurable. Well, you first try to measure the threats, and then you will make such a requirement for unacceptable ones. Take, for example, the threat of dataset substitution in an information system based on artificial intelligence. You are generally incapable of assessing either the probability or damage from this, since you do not have the initial data for such a calculation. And what, not to engage in the protection of artificial intelligence now?
Honestly, honestly, can you count every information security risk that you consider important enough to bring it to the level of company management? Most likely, everything will end in profanity, that is, “traffic lightor a heat map that ranks all of your risks as high, medium, or low.
And when the CEO asks you what was meant by critical risk, you will not be able to answer him anything concrete. At best, you will refer to an expert opinion that has nothing to do with a real risk assessment. More advanced information security specialists will prepare a matrix that will help clarify the difference between minor and catastrophic consequences, as well as between rare and probable events. It can look something like this:
Does anything bother you about it? Personally, yes. For example, a risk with a probability of realization above 90% and almost no consequences that are eliminated within the framework of daily operations is assessed as “high” (only “extreme” is higher than it). Well, that’s bullshit, if you think about it. How can there be a high risk that is eliminated without any strain? And this is often the case with IS risk assessment. Moreover, the problem with the assessment of what is new. According to him, at least there is no probability yet. That’s why I don’t like risks; although I understand that the word itself has long taken root in the business environment. But it was in the context of information security that it degraded. Well, or if you look from a more positive position, it has not yet grown to the state
ripeness maturity. And here we have two ways of developing the situation:
- Start developing the skills of a real assessment of information security risks, with an evidence base on the likelihood of their occurrence and the damage from their implementation. A very worthy research task, but difficult to implement if you did not work in the Big Four companies and did not have time to take away the necessary Excel tables with a bunch of tabs and beautiful diagrams when you left. True, the question of the initial data for calculations still remains open.
- Put into circulation new term, which does not have a negative flair behind it and allows explaining to top managers in a simple and understandable language what bad things can happen in a company, what a CxO level manager should think about, and what has a refraction in the field of cybersecurity. This is where unacceptable events come into play.
Unacceptable events are events that make it impossible for an enterprise, industry, state to achieve operational and strategic goals or lead to a long-term disruption of the main activity as a result of cyber attacks.
Their task is not to replace risks and threats, but to offer more understandable terminology at a high level of enterprise management. If the threats are determined by the information security specialists, and the risks are determined by the risks or the head of the information security, then the unacceptable events just the tops. Nonsense is the situation when unacceptable events are determined by IS specialists. This also turns into a scam. The idea is completely different – to involve business in cybersecurity. If you succeed with the help of “threats” or “risks”, then fine, but if not? This is where “invalid events” help.
Let’s look at a slightly different story. When you talk about SOC, what picture is drawn in your head? Something that allows you to monitor threats? What about reacting? After all, it is in it that the whole point of monitoring lies. Why do you need to know that you are being robbed at the moment if you can’t do anything about it?
Well, such a security. Therefore, instead of SOC, we at Positive Technologies began to use the term “threat counteraction center”. The same story with “unacceptable events.” You can resist the established practice, spending effort on explaining the obvious and re-educating the lost, or you can try to start everything from scratch by introducing a new term and promoting it. It’s often much easier to achieve results than it is to try. write against the wind.
Unacceptable events, risks or threats to information security? was first published on Business without danger .
Join our TG channel and learn how to secure your profile.