Information and the three-legged stool

I was trying to explain to a colleague how infosec people think about information, and came up with this:

I see information as being like a glass vase you have put on a three legged stool. The stool is standing on uneven ground, in a river of melted chocolate (yes, I'm peckish). If any leg is the wrong length, the vase will fall and be swept away. If the seat is too low, the vase will also be swept away. If the seat is too high, you won't be able to see the vase, and you may break it trying to get at it. Now, you may not be bothered about losing the vase, but then again you may. Depends on the vase.

The three legs of the stool represent the three main attributes of information: Confidentiality, Availability, and Integrity. The uneven ground represents your different tolerances of threats to those three attributes. The chocolate river represents the threats to your information. The length of each leg is the amount/severity of controls which have been applied to protect the information's availability, confidentiality and integrity. The space you decide to put between the bottom of the seat of the stool and the chocolate is your risk tolerance. If the vase is swept away or broken, that's an information security incident. This can be because the seat is uneven, or the seat is too low, or too high- not being able to see it is analogous to having so many security controls that you cannot do your work effectively, and breaking it while trying to get to it is analogous to creating an incident as a consequence of requiring overly strong controls (eg complex passwords which people then write down on Post-Its).

The role of infosec is to work out how uneven the ground is, and to help you get the legs to the right length, also bearing in mind the likely strength of the chocolate river now and in the future. Which means that you're always at risk of an unexpected chocolate tsunami, but hey, that's life...

OK, this isn't a perfect analogy, but hopefully it helps. Or makes you crave chocolate. it does imply that there isn't a "perfectly secure" situation, just one which is suitable to your organisation's needs, attitudes and risks.

Chickens!

Why is it so hard to explain the business justification for managing information risk? I have an idea about how to explain this.

I've heard it said that information security isn't about the shark attack, but instead about being pecked to death by chickens. Let's look at that from a financial standpoint. The risk of a major incident is low enough, in people's minds, that it can be discounted (like a shark attack); the potential financial loss is huge, but it won't happen, so who cares?

The risk of minor information security incidents- hah, they're happening all the time! Everyone and their dog is getting dodgy emails from "their bank", or "the IT department", and a non-zero proportion of the recipients will click on the wrong link out of bad luck, curiosity or fear. Of these, some will type in their login details, or have computers able to be taken over, and there you go. Not a huge impact on the organisation as a whole, by and large, but some hours of someone's day used to sort this out (once they notice...). The user loses time; the IT department loses time; and the organisation loses a little money. Not much. Like a single peck from a chicken- uncomfortable, but you can handle it.

How many chicken pecks before you start to really hurt? If the organisation doesn't have a "central nervous system" to allow the cumulative effect of these incidents to be understood, then they won't react like a human who's being pecked many times - they'll react like a huge number of humans who are each being pecked once. Which is to say, they will be mildly uncomfortable, but not inclined to make major changes.

The irony here is that a good information security management system acts as a central nervous system; but without it, you don't realise that you need one.

So what is the solution?

It's easy and hard - you need to either take advantage of a shark attack (have your wish list ready to go BEFORE the shark appears) or start really small and work on it. You can work on both of these approaches simultaneously.