Russell Thomas, developer of the Ten
Dimensions of Cyber Security Performance that I’ve
discussed earlier, has posted a very short comment on this week’s blog post
about Ralph Langner’s critique of the Cybersecurity Framework. Actually,
Russell’s comment was a link to a very lengthy (even by my standards) blog
post about Ralph’s general criticism of cyber risk management. It is
readily apparent that Ralph and Russell approach cybersecurity from two
completely different backgrounds, but they both bring valuable ideas to the
discussion of risk management to which the control system community should pay
close attention.
Anyone that is seriously interested in the theoretical basis
for cybersecurity risk management needs to follow Russell’s blog, Exploring
Possibility Space. Russell is an innovative thinker and draws upon a number
of academic disciplines in formulating his ideas. There is a tendency to slip
into academic speak from time to time, but his ideas are certainly worth the
effort to wade through that jargon when it arises.
I highly recommend that anyone seriously invested in
cybersecurity risk management should read Russell’s post about Ralph’s approach
to risk management. I’ll try to hit the highlights here.
Empirical
Justification
Russell points out that both he and Ralph agree that there
is little empirical justification for what Russell calls “Little ‘r’ risk” (see
his post on ‘risk
vs Risk’) management. Ralph sees this as a reason to ignore formal risk
management techniques. Russell sees this as a reason to extend the study of
Risk management so that there is a useful theoretical basis for developing and
evaluating risk management techniques.
This is the classic argument between theoreticians and
technicians in any newly developing field. In the short run Ralph’s arguments
are certainly justifiable, but in the longer run it will be folks like Russell
who will provide us with a solid basis for securing the cyber enterprise,
particularly on the control system side. That is if Ralph and his compatriots
can cobble together a relatively effective cybersecurity program that prevents
catastrophic attacks in the meantime.
Practical Feasibility
Again Russell and Ralph mainly agree that the currently
accepted theories on probabilistic risk are lacking in practical applications.
Again, Ralph sees this as a reason to eschew the study of probabilistic risk management
for work on actual applications. Russell’s approach is to change the way we
look at probabilistic risk management to make it more practical. He provides
one of his papers, “How Bad is
it? – A Branching Activity Model to Estimate the Impact of Information Security
Breaches”, as an example of the new types of research that are expanding
the usefulness of the technique.
Once again, I think that these two have more in common that
it initially appears. I would love to see these two on a panel discussing this
topic (Dale or Joe please note the suggestion). An effective melding of their
viewpoints would be very beneficial to the cybersecurity enterprise.
Posts
2 comments:
Thanks a million, Patrick. I'm flattered, but more important, I'm honored to receive your attention and recommendation.
About "jargon', there are times when I'm writing about academic topics so I need to use the terms and language of that domain. But I definitely try to avoid jargon when simpler and more common terms are available.
Russ
Thanks so much, Patrick. I'm flattered and honored by your thoughtful attention and hearty recommendation. I view us as brothers in the cause of improving industrial safety and security.
A quick comment about "jargon". While I try to avoid jargon when ever there are simple/common terms available, sometimes I'm writing about an academic topic so it becomes necessary to use terms from that literature. But if you ever think that I'm using jargon when it's not called for, feel free to leave a comment and ask me to simplify or rewrite.
Cheers,
Russ
Post a Comment