Almost 70 years since the first computer bug was discovered, there has been decades of research done on Information Security theory and practice. Yet, despite vast amounts of money being spent, innumerable academic papers, mainstream media obsession, and entire industries being formed, we are left with the impression that the risk is growing, not receding. Why? Some argue a lack of data, but data clearly exists. We’re likely generating it, in some areas, faster than humans will ever be able to process it. Perhaps, after all of this effort, we’ve managed to box ourselves into metaphors and first principles that might be inappropriately constraining how we think about “Information Security Risk”. In fact, it’s worth noting that we can’t even agree if there is a space between “Cyber” and “Security” when it’s written out. This talk will take an anecdotal look at “Information Security Risk”, “What IS Cyber Security?”, and use that perspective to suggest areas of research that are either lacking or should be made more accessible to the markets, industries, and individuals driving risk management change. In an industry filled with data, perhaps an examination of empty space might be helpful.

1. Non-Sec
Jack Whitsitt
jack@energysec.org |
http://twitter.com/sintixerr

2. Presently:
 EnergySec Senior Strategist
 International Policy Discussions
Previously:
 Hacker Compound
 Open Source (Honeypots)
 Managed Commercial Security (Visualization! Correlation!)
 FBI SOC
 Enterprise Security Architect
 ICS-CERT/NCCIC/DHS/INL: National Control Systems IR
 Government : Public/Private Partnership Development as Transportation
SSA
Also:
 Artist & Backpacker
About Me

3. We have been focusing on improving information security and risk management
practices to reduce cybersecurity risk.
This focus has likely improved information security practices, but without
meaningfully or sustainably reducing cybersecurity risk
This has come at the cost of the resources we will require to displace potentially
dangerously entrenched behavior and misaligned markets created as an
outcome of this focus.
Our focus on information security solution spaces may be preventing us from
making necessary transformative (as opposed to incremental) improvements
because:
Information Security practices and solution spaces do not control or speak to
enough of the exposure environment to create sustained, strategic
improvements in position
We need to take a wider view.
(Warning: The view may contradict itself and this will be a linear presentation of a non-linear topic)
Why this talk? Thesis

4. Progress in economics consists almost entirely in a progressive
improvement in the choice of models….
[It] is a science of thinking in terms of models joined to the art of
choosing models which are relevant to the contemporary world…
[and] it is essentially a moral science and not a natural science…
That is to say, it employs introspection and judgments of value.
– J. M. Keynes to Harrod , 4 July 1938 (Sorta)
Models: How we think

5. Our Models May Be Our Vulnerability

6. State of the World

7. We’re Not Winning

8. We’re Not Sure Why

9. We Have Trouble Admitting It

10. But We’re Going To Fix IT
Anyway

11. State of Security
 The world already has a lot of cybersecurity “solutions” and
“products”
 The average information security budget according to
PricewaterhouseCoopers is a staggering $4.1 million
 According to Gartner, the worldwide Information Security market
is valued at more than $70 billion.
And, yet…
 The list to your right contains many, but not all, major Fortune 500
breaches 2011-2014
 These are not companies that cannot afford cybersecurity
 Most organizations are notified by external parties 100’s of days
after breach
 Cybersecurity is a hard problem that clearly – by any public
metric available - remains unsolved in any sustainable way
97% of networks have been breached (FireEye)

12. The Bear Has Eaten Us All…

13.  Of Solutions
 At the Wrong Level
 Without being Able to Articulate the Problem
 NISTCSF
– Common Practices
– List of things that aren’t sufficient
 Cybersec EU, Poland, 2015
– Talking Information Sharing at Highest International levels
– Conducting, not winning conflict
– Same solution spaces provided over and over again
– Specificity intersecting with applicability and repeatability extraordinarily
difficult
– This has to stop
…And yet we still rely on old
models

15. Scoping Cybersecurity

16. We don’t agree on much
We do not have a consensus definition
“Cybersecurity”
– Neither the problem space nor the discipline
– We can’t even decide if there is a <space> between
Cyber and Security
– Ask any 5 experts, get 5+ answers
Speaking of experts…..

17. Cybersecurity Experts
(Perspectives)
 System Administrators
 Malware Analysts`
 Incident Responders
 Lawyers
 CISOs
 Procurement Officials
 Chairmen of the Senate
Whatever Committee
 Heads of the NSA
 Senior Sales Engineers for
Security Companies
 Hackers
 Children
• CEO/Executive Board Members
• Criminals/Terrorists
• Journalists
• Developers
• Activists
• Evolutionary Ecology PhD’s
• Diplomats
• Control Systems Engineers
• Regulators and Auditors
• Emergency Managers
• Citizens
• Operations Staff
• Firewall Engineers

18. Cybersecurity Context
Cybersecurity is a huge domain that spans
entire cultures, industries, and nations while
remaining highly individualized
This means we have to always be cognizant
of context, models, and definitions.
To start with, we should ask a fundamental
question…

19. What is a secure system?
Secure system:
One that does no more or less than we
want it to for the amount of effort and
resources we’re willing to invest in it.
But what does that MEAN? 

20. Well, first, what is a
SYSTEM?
 Connected Technology that Processes Information and
Produces Output
 Technology just a proxy for human decision and action:
– Design
– Build
– Configure
– Operate
– Test
Our systems are our businesses, nations, and
cultures, we’ve just added technology.

21. Human Systems
Following this logic
– Systems are VERY BIG
– They have FUZZY BOUNDARIES
– They are HARD TO MODEL and EMERGENTLY COMPLEX
– Individuals have LIMITED SPHERES OF INFLUENCE on them
– But are subject to COMPLICATED IMPACTS FROM OUTSIDE THEIR
SPHERE
– And we ***STILL HAVE TO MANAGE THESE SYSTEMS***
Our Threat Models must apply to our entire
system definition.
So, where do we create boundaries?
How does this definition affect security?

22. Decisions:
“Atomic” elements of Cyber
Security
Cyber Security State is comprised entirely of a series of
authorized decisions made by people in authorized
capacities on a timeline
 To Model Systems and Security State, we have to Ask:
– Who is Making What Decisions, Why, and How?
 A useful filter for determining boundaries and scopes can be created by
determining your sphere of influence and asking:
– Where on a timeline is your sphere influenced
– By which decisions and by whom
– For what goals/values
– To what kind of effect
 How does your sphere of influence affect or not affect others?

23. Cybersecurity Experts
Revisited
 CEO/Executives
 Lawyers
 Procurement Officials
 Regulators and Auditors
 Emergency Managers
 Operations Staff
 Chairmen Senate Committees
 Heads of the NSA
 Diplomats
 Criminals/Terrorists
 Journalists
 Citizens
• Children
• Activists
• Evolutionary Ecology PhD’s
• CISOs
• Malware Analysts`
• Incident Responders
• Senior Security Sales Engineers
• White Hat Hackers
• Firewall Engineers
• Developers
• System Administrators
• Control Systems Engineers
How might these groups of Experts define Cybersecurity?

24. InfoSec vs CyberSec
 Use Previous Filter to Group People
– InfoSec
• Closer to “Security” Technology
• Focused on Mitigation
• Short Span of Influence on Exposure Creation
• Core competencies in technological exposure mitigation
– Others
• Further from “Security” technology
• But MORE influence over exposure creation
• Greater span of influence in general
• Low security technology competency
 “Others” have significantly more impact on system
security state than “InfoSec”, but are not directly
tasked with “Information Security”

26. Cyber Definitions Revisited
 Secure system: One that does no more or less than we
want it to for the amount of effort and resources we’re
willing to invest in it.
 Cybersecurity: The enablement of an environment in
which business objectives are sustainably
achievable by Information Security, Control
Systems Security, and Other Related Security
Activities in the face of continuous risk resulting from
the use of cyber systems.
 Cyber Risk: the possibility that actors will use our
systems as a means of repurposing our value chains to
alter the value produced, inhibit the value produced, or
produce new value in support of their own value chains.

27. Cybersecurity:
Managing a Parasitic Environment?
http://vignette1.wikia.nocookie.net/mutantsgeneticgladiators/images/7/7e/ParasiteQueen.png/revision/latest?cb=20140619191012

28. Parasites: Value Competition
Cyber Security isn’t a risk. 

29. Error Handling
“Others” create cyber security exposure
(mostly)
“Others” also limit/define InfoSec scope
InfoSec Programs are primarily “Error
Handlers” and relatively non-causal to cyber
security state (this doesn’t mean
unimportant)

30.  Island Internet
 Isolated Security Events
 Techies (me) without funding or buy-in develop practices
 Automated Worms Disrupt Business
 Market need identified and met by selling practices
 Connected Important Stuff
 Merging Realities, Conflict and All
 Entrenched Models and Practices failing to solve for New Reality and New Scope
We started out specialized and then specialized further despite context and problem
space expansion and we’ve failed to improve and update models or develop
appropriate, specific objectives accounting for our environment*
Now we’re missing important fundamentals in scope, metaphor, language, and
strategies and are battling existing investment to fix
(*or, at least, we’ve failed to create effective socialization mechanisms for them)
Tail Wagging the Dog:
How did we get here?

31. Problem Space Framework:
What does the Dog Look
Like?

32. Full Cyber Stack:
A Problem Space Framework
Connected, Related
Problem Spaces
that Affect Cyber
Security State:

33. Problem Space: Humans
 If Security State is Decisions on a Timeline,
we have to deal with:
– Average Ability
– Opaque Motivations and Habits
– Shaded Risk Perception
– Learning Capacity
– Conflicting Information Processing Mechanisms
– Personality Conflict
– Patterns Not Reality

34. Problem Space: Technology
 Cannot Express Security Directly
 Requires Core Competency replicated to all organizations
 General Purpose Expressly Allows Exposure
 Evolving Faster than Human Cultural Processes
 Complexity : Exposure rising directly and infinitely with
complexity

35. Problem Space: Culture
 Resistance to Change
 Blinded (often) in certain Topic Areas
 Socially, not factually, driven replication of talismanic memes
 Simplification of complicated topics
 Us vs Them: Perspective & Context Awareness
 Firefighting is Sexier than Exposure Management
 Language, Conceptual Clarity across Discipline Borders

36. Problem Space: Org
Behavior
 Conflict in Hierarchical Value Production
 Single “System”, but not engineered or designed
 Data to Knowledge to Action bandwidth limits
 Difficult or impossible risk aggregation
 Limited Resource Allocation (Speed, Accuracy)
 Insufficient resources hidden by poor risk perception
 Organizations don’t feel risk
 Little Full System (Human) Threat Modeling

37. Problem Space: Industries
 Competition vs Common Need
 Complex System Boundaries
 Entrenched Investment (InfoSec!)
 Indirect connection to Risk (Boiling Frogs)
 Competency Required by all: Cannot
maintain

38. Problem Space: Nations & Body
Politic
 Geography, Power Delegation, & Proximity
 Common Problem Space Consensus
 Multi-stakeholder Model/Regime
Management
 Perception Management of Body Politic
 Tragedy of the Commons

39. Problem Space: International
 Bad Conflict Metaphor: Defender vs Siege
– (Creates Compliance Misalignment)
 Stability Problems
 Norms of Behavior & Confidence Building Measures
 Information vs Kinetic Warfare
 Few Capacity Building Missions/Mandates

40. Problem Space: Global
Culture
 Predictably reliable infrastructure in order to
increase its health/wealth
 Freedom to develop practices and norms and
boundaries and technologies which exist outside of
nation state constructs – as the internet (does it?)
breaks without this. This is a matter of opinion?
 Tools and techniques and forums and media in
which to exist as an independent construct from
other sub-power brokers

41. But why does this matter?

42. Generally…
 We have problems to solve
 They are serious impediments to reducing
cyber security risk
 They have not been defined or socialized
 Without definition and socialization, people,
organizations, cultures, nations, etc. cannot
work together to solve them
 We can convert these gaps into concrete plans
of action for resolution – or at least socialize
good practice

43. Specifically…
NIST CSF, NERC CIP, C2M2, Top 20, 800-53, etc…..
 NONE of these address Exposure Introduction in a meaningful way within
organizations
 If Exposure is not managed outside of InfoSec, InfoSec costs will continue to go up while
effectiveness will go down (due to rising complexity)
 NONE of these addresses barriers to sustained implementation of their own advice
 Organizations are exploited most often because of the gap between “Perceived” and
“Actual” reality
Being able to manage exposure introduction in a sustained manner within the
constraints of the outside world requires concerted planning, work,
coordination resources across your businesses, cultures, industries, nations,
and the world…
And we have few mechanisms in place to do so.

44.  Expand
 Clarify
 Communicate
 Maintain
 Use
 Market
 Criticize
 Trash it and Start Over if Needed
– We still need one
– Let’s just stop repeating ourselves
Improve on
This Problem Space
Framework?

45.  Think Beyond InfoSec
– Broaden Scope Out As Far As You Can Go
 Re-Consider your Metaphors and Models from the Ground Up
– If Only as a Thought Exercise
 Ask how to manage risk without InfoSec
– Then build an error handler
 Wonder at why we are where we are
– And treat common practices as solving an insufficiently complete
list of problems
If nothing else…

46. Thank you!
Jack Whitsitt
jack@energysec.org |
http://twitter.com/sintixerr