Pragmatic Cyber Risk Quantification

ISC2 presents Jack Jones, founder of FAIR.

Quantitative risk analysis is achievable, can be pragmatic, and can actually out-perform qualitative risk analysis in the face of complex issues like intelligent adversaries. Join Jack Jones, the original author of the Factor Analysis of Information Risk (FAIR) framework and (ISC)2 to learn more about FAIR. Jack will highlight both the quantitative use-cases as well as the ways in which FAIR can be leveraged to improve qualitative risk analysis.

Jack is an old friend and mentor.

I encourage readers to check out the FAIR Institute.

Along the Lines of Edward Snowden

President Trump put out a communications blackout and now many Federal agencies are leaking information to the press, just like something Edward Snowden would do. Or is it?

Most of the resistance is coming from agencies with a focus on environmental protection and scientific research. Several federal Twitter accounts have begun posting social media messages, some of them simply facts about climate change. Trump has notably expressed skepticism about climate science.

An example is Badlands National Park’s tweets regarding increasing pollution levels.

PBS calls this a digital insurrection.

ID Theft Breach Report in 2016 – 3 Breaches a Day

The Identity Theft Resource Center creates an Annual Data Breach Report and the results are fascinating!

There has been 1,093 breaches in 2016, that’s about 3 a day.

It should be noted that data breaches are not all alike. Security breaches can be broken down into a number of additional sub-categories by what happened and what information (data) was exposed. What they all have in common is they usually contain personal identifying information (PII) in a format easily read by thieves, in other words, not encrypted.

The ITRC currently tracks seven categories of data loss methods:

● Insider Theft ● Hacking ● Data on the Move ● Subcontractor/Third Party ● Employee Error/Negligence ● Accidental Web/Internet Exposure ● Physical Theft

The ITRC currently tracks four types of information compromised:

● Social Security number ● Credit/Debit Card number ● Email/Password/User Name ● Protected Health Information (PHI)

For the eighth consecutive year, hacking/skimming/phishing attacks were the leading cause of data breach incidents, accounting for 55.5 percent of the overall number of breaches.

Why is that though? Most companies have some sort of user awareness training. Many people though, think that training is a waste of time, or it sucks or it is boring. Also, most companies don’t have dedicated security awareness staff. Out of most security models and frameworks, if you really look at them, you’ll notice that many domains have their own dedicated staff, then for security awareness, it’s just a shared responsibility that staff may give 10% of their time to if nothing else comes up. Is that the right answer to solve this “going on 9 years” growing problem?

Maybe it should be that the real problem is a behavioral employee problem and not just a security team’s partial problem. HR, training, corporate communications and Information Security need to handle this problem. It’s a team effort!

Giuliani is The President’s Cybersecurity Advisor

Former Mayor Rudy Giuliani has been named the President’s Cybersecurity Advisor. There is a lot of public opinion from infosec and hacker communities alike since Rudy’s website,, had security vulnerabilities (and now no longer resolves).

My Security Website Was Brought Offline?!

Giuliani introduced CompStat to the NYPD…

CompStat was started by Jack Maple when he was a Transit police officer in New York City. The system was called Charts of the Future and was simple – it tracked crime through pins stuck in maps. Charts of the Future is credited with cutting subway crime by 27 percent.

The original commanding officer of the Transit Police Crime Analysis Unit was Lieutenant Richard Vasconi. Chief of New York City Transit Police William J. Bratton was later appointed Police Commissioner by Rudolph Giuliani, and he brought Maple’s Charts of the Future with him. Not without a bit of struggle, he made the NYPD adopt it after it was re-branded as CompStat, and it was credited with bringing down crime by 60%. There was a CompStat meeting every month, and it was mandatory for police officials to attend. The year after CompStat was adopted, 1995, murders dropped to 1,181. By 2003, there were 596 murders—the lowest number since 1964.

Later on, Giuliani introduced CapStat, Citywide Accountability Program, a derivative of CompStat.

Rudy’s process is quoted in the book Traction: Getting a Grip On Your Business, which is easy to read, a best seller, and a must read for everyone!

Now here’s the thing though… was a static, informational website, that had nothing really on it. Just some public data and a method to reach out to contact/contract his firm. Should we the people care that much or put a lot of thought into that?

It’s reputational and a loss to our confidence that was sitting on a four year old, outdated Joomla platform. In my opinion, that is a horrible resume for a position as a CyberSecurity Advisor for any company, let alone to the President (I say as I check my patches on my own website). That being said though, I think there can be some positive changes in how the management of cyber-threats can be met with.