Russell Thomas, developer of the Ten Dimensions of Cyber Security Performance that I’ve discussed earlier, has posted a very short comment on this week’s blog post about Ralph Langner’s critique of the Cybersecurity Framework. Actually, Russell’s comment was a link to a very lengthy (even by my standards) blog post about Ralph’s general criticism of cyber risk management. It is readily apparent that Ralph and Russell approach cybersecurity from two completely different backgrounds, but they both bring valuable ideas to the discussion of risk management to which the control system community should pay close attention.
Anyone that is seriously interested in the theoretical basis for cybersecurity risk management needs to follow Russell’s blog, Exploring Possibility Space. Russell is an innovative thinker and draws upon a number of academic disciplines in formulating his ideas. There is a tendency to slip into academic speak from time to time, but his ideas are certainly worth the effort to wade through that jargon when it arises.
I highly recommend that anyone seriously invested in cybersecurity risk management should read Russell’s post about Ralph’s approach to risk management. I’ll try to hit the highlights here.
Russell points out that both he and Ralph agree that there is little empirical justification for what Russell calls “Little ‘r’ risk” (see his post on ‘risk vs Risk’) management. Ralph sees this as a reason to ignore formal risk management techniques. Russell sees this as a reason to extend the study of Risk management so that there is a useful theoretical basis for developing and evaluating risk management techniques.
This is the classic argument between theoreticians and technicians in any newly developing field. In the short run Ralph’s arguments are certainly justifiable, but in the longer run it will be folks like Russell who will provide us with a solid basis for securing the cyber enterprise, particularly on the control system side. That is if Ralph and his compatriots can cobble together a relatively effective cybersecurity program that prevents catastrophic attacks in the meantime.
Again Russell and Ralph mainly agree that the currently accepted theories on probabilistic risk are lacking in practical applications. Again, Ralph sees this as a reason to eschew the study of probabilistic risk management for work on actual applications. Russell’s approach is to change the way we look at probabilistic risk management to make it more practical. He provides one of his papers, “How Bad is it? – A Branching Activity Model to Estimate the Impact of Information Security Breaches”, as an example of the new types of research that are expanding the usefulness of the technique.
Once again, I think that these two have more in common that it initially appears. I would love to see these two on a panel discussing this topic (Dale or Joe please note the suggestion). An effective melding of their viewpoints would be very beneficial to the cybersecurity enterprise.