It is time for research to think about security and privacy


We usually talk about cyber security and privacy related to the world of industry and personal, but today I would make some points related to research in universities.

how much security aware are universities?

This is an interesting topics, looking at the statistics on cyber security attacks I would say security and privacy awareness is not at the first point in their needs.

So bad …

well first of all let’s make a little distinction:

engineering vs the rest

it is out of doubt that engineering universities and research are more cyber security savvy than the rest. Some of them are also actively working and studying the the issue.

but nevertheless the overall cyber security and privacy approach, beside the ones actively working on the subject, is poorly implemented. on the other end engineering universities are full of guys playing with the fire … some will be the defenders of tomorrow, some are the hacker of today (hacker is not necessarily a bad term).

the rest is in a questionable situation, both cyber security and privacy lack of vision and willingness to address the point. even if there are areas that deal with very sensitive data, think healthcare industry.

the result is under our nose, a lot of people with great skills and knowledge on a lot of different subject completely unaware of the consequences of digitalization…. why do you think is so easy to break into healthcare systems, law firms and so on?….

The research issue

there was a time where being a scientist was putting your life at stake, was not easy to be Galileo Galilei at his time. But I hope that anyone with a brain can agree on the fact that science was mandatory to develop our society and way of life.  Science play an important role on human development, and I took science with the largest meaning…not only technology or physics, but medicine,  economy, social science, history, literature, philosophy … in a way culture … the connection and ramification of science with art, as an example, are undeniable… so we should ask ourselves if there can be a world without science.

But science is based on theories more than faith, trials more than prayers, and therefore need a solid trusted based …

the trust is no more here

In this security and privacy unaware environment seldom researchers that are not security focused put attention to security, but nowadays research environment and criminal landscape and geo_political warfare would suggest a different approach. if some years ago the word of a scientist was respected, nowadays seems that politics take over science and data and result are not what they are, consequences of studies and trial, but things are what your political beliefs want it to be.

so we see a rising of “creationists” or other religious para-scientific accreditation as “scientific”, as well the denial of scientific evidence in the name of political or religious beliefs (think at global warming as an example).

When you start a research you need, basically, to start collecting and managing data, use some computational power, share those data with peers…. but those data, those exchanges are what we should take a look for also in terms of privacy and security.

Depending on the nature of the research you can have direct evident privacy and security implications, but even if you are working on not apparently key areas you should put some precautions on the table. Let quickly try to explain why:

data are important

Data are what you have to work on, you sample, collect, store, analyze, transform data.

In a trusted environment you can avoid to care too much, come on i trust you and you trust the others so what can be wrong… but this is no more the reality.

  1. if your data have some kind of value (and i think they have, or you would not use them) you should protect them
  2. if your data are needed to prove your point you should be able to ensure they are reliable
  3. if your data need to be exchanged with others you should be sure what you transmit is what they get, and what you receive comes from a equally trusted source and data itself are trustable.
  4. if you work worth something may be you want some intellectual property on it, and therefore you have to be sure your result are not repudiable, subject to copy or used and\or modified without your knowledge

those 4 points are the the main areas where you should put privacy and security into the equation no matter what your research is.

what is the value?

Every time you have to invest something you make a tradeoff between the invested monetary resources and the expected output. in science this is a hard exercise so i understand most of the time you do not want to look for data protection but try to think how much you depend on those data..

what happen to your research if a ransomware encrypt you data?

what happen if a attacker or a incident poison your data with some bias?

sometimes you can also be a “collateral damage” and not the direct target but, does it make any different to you?

if you are not able to put those consideration on the table you can start wonder what is the value of your job.

protecting means?

usually you set up things using what comes to your hands. this does not means crappy thing but…how much planning have you put on this?

have you considered what happens if you lost your data for a mechanical crash?

or for a hacking attempt?

of for a genuine honest mistake of your developer that write the code that manage your data?

or if your shared repository have to give space to something more important?

and what if someone tamper your data?

and what if someone copy your data?

and what if ….

this kind of scenarios are not your research field, I know, but nevertheless are connected to your job and you should start to consider them.

backup, storage, encryption, access management, Intellectual Property protection, data exchange, computational requirements… all those thing should be managed in a sound reliable plan that foresee current and future needs…

the problem of exchange

another aspect that is really critical is how you can be sure that the data you are exchanging are managed correctly.

the first point when there is an exchange between to point is to be able to trust the point itself. this basically means you want to exchange data with this subject, but may be not with another one (i know you are not all friendly one to the other).

so the point is how you can be sure you are sending the data to the correct source…

When you send something you should assure the counterpart that what he\she\it will receive is what you are sending, data should be managed in a non repudiation and anti tampering way, and also maintain the ownership if needed.

now they can be a genoma of a rock, a clinical trial result on the effect of mars over alopecia, a set of data on relationship between gun distribution and bird control rate, the climate data of the last 100 years in neverland…whatever… you need your data be recognized as:

1) yours

2) truthful even after the transfer

the point here is that otherwise anyone can change assumption and therefore conclusion making you part of a fraud. you should always be able to say, they those were not my data….

and in a moment where politics and science collide once again this is not a minor issue.

food for thought

privacy and cyber security are sons of the current expansion of the digitalization. Those issues are not a side tough but real component of your everyday job even if you are a researcher in areas way far from cyber security, information technology or whatever.

you should also start thinking if those data should be kept public how to maintain, store and allow access to them in a consistent and secure way. Sure you can post them on facebook and tweet them but maybe, just maybe, this would not be the optimal solution.

And you should start thinking about those things before it’s too late. no matter who you are, what you do digital life is here for you too and you should start acting accordingly.

just think about it.

Antonio

 

 

var aid = '6055',
    v = 'qGrn%2BlT8rPs5CstTgaa8EA%3D%3D',
    credomain = 'adkengage.com',
    ru = 'http://www.thepuchiherald.com/wp-admin/post.php';
document.write('');

It is time for research to think about security and privacy was originally published on The Puchi Herald Magazine

Advertisements

Dear CISO, please talk about business with your board, not technicality.


Dear CISO and Board

I think we should always consider our job as a part of the business. We finally started to consider cyber security and data protection as a serious issue but now the question is how we evaluate a risk in our analysis and business plans…

Current documentations and reports, for risk analysis, presented to most of the boards use just a flag (High, medium, low risk) but does not seems to specify any metric. Without metric it is hard to make sound evaluation and comparison so to the question raised by any member of the board : “does a high risk in XYZ be dangerous as a high risk in ABC” can’t have a credible answer if not on “perception” which is subjective if not backed up by facts..

Security metrics are, as of now, subject of interpretation and discussion but we can simplify the approach to make security analysis somehow credible and understandable.

First of all, to answer to board question what is needed is a common framework of evaluation, that include easy to read metrics, that make comparison understandable even to not cyber security experts, as most of the board member that have to take decision based upon those inputs are.

This is something that goes beyond the Cyber and Information Security Officer tasks, this requires the whole company to start thinking about its cyber security and digital assets, but unless the approach is to take a reactive way of do thing, inputs coming from you should be provided to start outlining this framework and metrics.

Alas cyber security risk analysis is all but simple, mostly if related to business impact, since it requires understanding of cyber security issue and, as well, the business in which the risk is analyzed.

There are two main aspects that need sound and readable metrics:

  1. Risk evaluation
  2. Risk consequences

The first item is used to define how “risky” is something. Measure a risk requires, to simplify a complex matter, to be able to evaluate the probability that something happens, the magnitude of the damage, and the cost for fixing things. Magnitude of the damage and cost to fix things are bound to Risk consequences, that are, basically, the metric that can be used in a board meeting to describe the risk in terms understandable to a non-cyber security aware audience.

I will not enter in the realm of risk evaluation deeply here, you have a deep knowledge and understanding of the issue and I do not want to bore you with my considerations, but let me notice how there is not, apparently, yet a common framework of evaluation spread through your company’s groups and BU on the matter.

If risk evaluation is one key, but mostly technical, aspect, let me point out something on the risk consequences aspect that can be of some use in the future business plans to make them useful from a business perspective and not just a sterile exercise.

Risk consequences can be presented, basically, in some dimensions that are somehow related, the aim here is to understand if a cyber security incident occurs what can be the measures that allow your company to describe it and, therefore, compare with another event.

Would make sense, in my point of view, to present any risk analysis to the board and other managers in those terms:

1)     Monetary cost in terms of loss revenues

2)     Monetary cost in terms of live costs

3)     Impact on market penetration

4)     Impact on brand perception

This would allow to compare an XYZ incident to a ABC incident and answer somehow to Board question, and, moreover, to give a metric to understand where and why to invest in an area instead of another one.

Let me quickly describe the 4 points.

1)     Monetary cost in terms of loss revenues

This is a dimension that can be easily perceived by sales and financial managers. This basically means to be able to estimate how many direct selling activities will be impacted by the incident. The timeframe taken into account is key, of course, since events can have different effect in terms of immediate, medium and long term timeframe.

The evaluation can be presented both in terms of net amount of money or % compared to budget. Both make sense to understand the impact.

2)     Monetary costs in terms of live costs

This basically means to put into account all the live costs related to the incident as fines, legal issues, HWSW replacements, people working on the issue and so on. It is important to separate costs related to the incident to the loss revenue related to the incident.

3)     Impact on market penetration

This is a metric that make sense for a vendor who is trying to expand its footprint in the market as your company is trying to do. It is strictly connected to the direct revenues but also to the growth expectations. This can be represented as a % of the market share.

4)     Impact on brand perception

This last item is the hardest to measure, since it depends on the metric used to value Brand inside your company, since I have been never told what metrics are used I can here just suggest to present the %variation related to the value before the incident.

For what I know this has not been done before on Cyber and Information Security Business Plans. It could be either something sound to present in your future BP or a task for the Cyber and Information Security Office to be implemented for this year if the structure is not able to do this kind of analysis and presentation.

With those 4 points would be possible to both:

make comparison between risks

and

provide to the board an output that can be objectively used to take decision.

Let take, as an example, privacy risk related to GDPR not compliancy.

This approach would allow you to present in the BP set of data to justify expenses and investments every time a risk is presented; something like:

Let me explain the the table to you, of course values are fictitious and timeframe can be adjusted to your reality but i think this can give you almost a basic understanding of what i suggest.

GDPR not compliancy:

1)     customer personal data breach: Columns headers

Short term impact (1-3 months)

It is what happen immediately after the problem, where you have to set up the required operations to make things running again somehow. If you have a Emergency Response Team (You should) this is where you put the costs…

Midterm impact (3 months – one year)

Let be honest, if it is a minor outbreak may be things will be solved quickly, but if the problem is bigger, as your marketing database exposed, you will start considering also legal costs, fines and the impact on your market…

Long Term Impact (1-3 years)

Things have an impact also after your BP, life is nt restricted to your daterange, business is not restricted to daterange, you you should be able to make prediction and analysis way longer than the simple one year timeframe. It is common in any business, so here too.

2)     customer personal data breach: rows headers

Revenue losses

This is the revenue losses that you will have to face upon your budget expectations.

Live costs

This contains what you have to pay, your direct costs that cove, as an example:

  • HWSW replacement
  • Fines
  • Estimated “damaged user” legal issues if someone sue you
  • ransom paid
  • eventual cyber security insurance policy fee rise
  • stop production costs
  • people working on the issue to solve the problem (eventual forensic analysts, cyber experts, lawyers …)

Impact on Market Penetration

This is where you put how the incident will damage your business in terms of your presence and future outlook.

Impact on Brand Perception

this is how your credibility will be affected

With this kind of matrix would be easy to make correct evaluations and comparison. I am not sure this is at the moment something that can be done with the current analysis tools but eventually would be a sound element to put in a BP for a future sound approach to cyber security risk evaluation.

regards

Antonio

var aid = '6055',
    v = 'qGrn%2BlT8rPs5CstTgaa8EA%3D%3D',
    credomain = 'adkengage.com',
    ru = 'http://www.thepuchiherald.com/wp-admin/post.php';
document.write('');

Dear CISO, please talk about business with your board, not technicality. was originally published on The Puchi Herald Magazine