A SQL client doing a backup or sync of databases, a data-transfer that may not include CHD but is still connecting and communicating with the CHE, monitoring systems that increasingly have the ability to run “root” commands to auto-correct problems, …

There are lots of other connections that are home-grown based on the application and environment that still provide connections.

I have always looked at connected systems as a system that has a connection At a simplest layer UDP is stateless and does not have a “connection” although it is possible to tunnel connections through UDP so a proper evaluation should be done on the communication happening and determine if it is actually a connection or just a burst of information (snmp trap). Also, risk should be considered when looking.

The connection clause has caused me endless arguments and I look forward to one day it being clarified better by the SSC.

I’ve said for a long time that nobody will sufficiently dedicate the attention that cybersecurity deserves on the critical infrastructure level unless and until people start to die because of cyber-insecurity. And, of course, when that happens, there’s a very high risk that bad policies/laws will follow. I talked a bit about this in an interview a while back on Team Cymru’s Who and Why show.

http://www.youtube.com/watch?v=mVQa5ciidNM

Thank you for such a thorough review and for being a part of the book tour.

I meant to address another point you made, as well. You said highly subjective risk measures are either neglected or merely alluded to in my book. I would say I spend quite a lot of time on that point. In fact, I discuss in detailed the research behind measuring subjective assessments of risk and devote an entire chapter to the limits of expert knowledge (i.e. subjective estimates based on experience). I then go on to show how subjective assessments of uncertainty can and should be used in quantitative models – but only after “calibration” training of experts.

Risk is also “subjective” by virtue of the fact that you have to decided *whose* risk you are modeling. But moral hazard itself doesn’t mean the risk to the victim of moral hazard (i.e. an insurer) is subjective. On the contrary, it is routinely meausred. Even subjective behavior is objectively measurable. I describe in detail how subjective risk tolerances, for example, can be objectively quantified with the “investment boundary” or risk/return utility curve. I spend deliberate time in the third section of the book describing conflicts of interest and other behavioral aspects of managing risks. But this should not be confused with being subjective, since there is a lot of objective data about the behavior of humans in such situations.

Thanks again for your post.
Doug Hubbard

You asked about why I didn’t mention FAIR, FRAP, or OCTAVE. If I wrote a book about risk management in infosec, or even IT risks in general, I would have mentioned them. (The exception is that I do mention NIST 800-30 but only as an example of a qualitative method from one of the many industries that have created their own recipes for risk analysis).

But I wrote a book about the very broad cross-industry, cross-specialty topic of risk management. Even though those methods may be well known within info sec, they are not actually well known to people outside of infosec such as actuarial science, financial portfolio management or probabilistic risk assessment used in nuclear power. Nor are they even remotely representative of the methods used in other fields. FAIR, for example, uses some probabilistic methods but most of my work is outside of information security and when I talk to probabilistic risk assessment experts in most industries, I doubt I will find that even the most advanced experts in Monte Carlo simulations will have heard of FAIR. Depending on the profession a person is from, they may assume QRM, PRA, FMEA, HAZOP or even just plain actuarial science are the methods that represent risk assessment.

Poll three actuaries or financial portfolio analysts and I’ll bet you won’t find one that heard of any of the methods you mentioned. Nor would most books on QRM, PRA, or FMEA for fananncial analysts or engineers mention FAIR or OCTOAVE. This isn’t that actuaries or risk analysts in finance are less sophisticated – they are actually much more sophisticated that most other professions in risk management. Its just that there are numerous industries that have come up with something on their own and given it an acronym you never heard of. And each have come to believe that their industry method is actually how risk analysis is done in general – and that their peculiar acronyms are the same ones all risk management professionals use.

That’s part of the problem I discuss in the book. Most of these methods are not created by quantitative risk experts, but by industry subject matter experts with almost no input from well-developed methods used by the broader risk industry. As you can see, my book was about many areas of risk analysis without spending too much time in an single area. The problems I talk about regarding risk management are mostly industry-generic and I only mention cases in select industries to illustrate particular points.

Part of my objective with the book was to get all industries – including info sec – out of their “shell” so that they realize that what they do is not necessarilly representative of all risk management. And, hopefully, learn from other risk professionals applying methods they haven’t ever heard of.

Thanks again for posting this thought on your blog.
Doug Hubbard