This illusion is best illustrated by an interesting game called the Monty Hall Problem, which goes like this:

Suppose you are a lucky game show player who is picked to participate in a game. The game requires you to stand in front of the three doors. Behind one door is a car, and behind each of the other two doors is a goat. You are told to choose one of the doors, and if you choose the door to the car, you win the car.

The game requires you to make your choice, and then the host (who knows what is behind each door) will open one of the other two doors that he knows does not open to the car. According to the game rules, you have the chance to change your mind and choose the other remaining door, or remaining with your original choice.

The problem is: Should you pick the other remaining door, or trust your first choice? Would this decision make any difference in the chance of winning the car?

Most people will say that the chance is the same for whichever choice because you have half the chance to win the car out of the two remaining doors. It sounds logical, doesn’t it?

But let’s examine this carefully. Suppose you label these two strategies as:

Strategy A:  Remaining with the present door choice.

Strategy B:  Changing the choice to pick the other remaining door.

Let’s take a look at Strategy A first, where there are two outcomes:

Strategy A, Outcome 1: Your original door choice was the one if front of the car all along, and you win because you chose to remain with the first door you picked. The chance of you picking the door with the car at the beginning of the game was 1/3 because you had to choose one out of the three doors.

Strategy A, Outcome 2: Your original door choice was one of the two doors in front of a goat, and you lose because you chose to remain with this first door you picked.  There is 2/3 of chance for this scenario to take place, since two of the doors had goats behind them.

So for Strategy A, you had only a 1/3 chance to win the car.
What about Strategy B, where you change your original choice?

Strategy B, Outcome 1:  You change your door choice, and unfortunately your new door choice is hiding the other goat. You lose. Remember you have 1/3 of chance in this outcome as discussed previously.

Strategy B, Outcome 2: You change your door choice, and open the door hiding the car. You win! And you have 2/3 of chance in this outcome. (If you’re interested in a full explanation of how the outcome changes to 2/3, search for the term “Monty Hall Problem” using your favorite search engine and you’ll find plenty of information.)

Looking at the problem this way, it’s quite obvious that Strategy B is a better choice, isn’t it?

Some of you might still feel confused. You might need to re-read the whole discussion above to clarify your thoughts.

Ultimately, this game illustrates one very important weakness of people: We tend to jump to conclusions for many problems too easily without careful analysis. And worst of all, we are usually over confident as to what we have concluded at the beginning.

This problem is closely related to the people issue in Information Security or Corporate Risk Management. People tend to overlook many possible system vulnerabilities when undergoing so-called “risk analysis”. They are not aware that they have been overly naïve when thinking about the possible threats to their system of operations.

It’s quite interesting that this phenomenon is well observed now, as there are so many financial institutions around the world running into their own financial problems because the people who run those organizations were too confident in themselves to manage the risks. And indeed, they seem to be completely blind to the possible exposure of managing and holding all those financial products they have on hand, without even thinking about the possible serious consequence of dragging down their own companies if things go against them. And indeed, it catches up to them in the end.

So in the risk management exercise of information security, the number one beneficial attitude is to be humble. We need to realize that we are not invincible, and be very careful in weighing all possible risks related to the information system we are using. We have to work out the plan in every step of risk management without the tendency to overlook or jump to conclusions too easily. Without the right mind set, we are very likely to fail to manage all possible risks properly.

Tags: Corporate Governance, IT Governance

To illustrate those concepts, I like to use a popular diagram¹ from Common Criteria, shown below:

In the center of this diagram you’ll find the term vulnerabilities. Vulnerabilities are any weaknesses of a system. A system always contains vulnerabilities. You cannot build a 100% perfect system with no vulnerabilities, even if you have unlimited power, money, and time to build such a system. All systems contain imperfect components, and the integration of imperfect components produces an imperfect system that always possesses certain vulnerabilities.

Threats are elements from various sources that can exploit vulnerabilities and that increase risk. Risk is the probability that the system’s asset will be damaged/abused by the threats that exploit the vulnerabilities. Assets can be tangible (such as hardware/software) or intangible (such as good will and customers’ confidence).

Threats can be initiated by threat agents. A common threat agent for IT systems is people. They can accidentally or intentionally exploit vulnerabilities of a system to impact an IT system.

In order to manage risk, we deploy countermeasures (controls) to a system to reduce the vulnerabilities. The decision to deploy certain countermeasures to reduce the vulnerabilities and hence reduce risk lies solely on the information owner, who bears all consequences arising from the risk.

In a formal risk management exercise, an organization should undergo an intense brainstorming session to discover all possible threats that can exploit the vulnerabilities of a system. The difficult part of this step is not determining whether a certain threat will cause risk to a system, but the effort required to locate all possible threats to a system. Anything overlooked could lead to possible serious exposure to risks that have not been identified.

It is of the utmost importance for the owner (the “Owners” in the diagram) of an organization to identify all possible threats to its information system to the very best of his/her effort and knowledge, in order to fulfill fiduciary duties to customers and other stakeholders. Without knowing what the risks are, it’s impossible to implement suitable countermeasures to contain and mitigate those risks.

Reference:

¹Picture from Common Criteria

http://www.commoncriteria.org/docs/PDF/CCPART1V21.PDF p.14

Tags: Vulnerability, Countermeasure, Security Controls, Risk mitigation, Information Security Management, Information Risk Management

In order to understand Risk Management, some basic terms related to risk management should be understood. They are: Vulnerabilities, Threats, and Exposure.

Vulnerability refers to the inherent weakness of an IS system. (“Inherent” simply means something that is internal to the system that you can’t easily eliminate completely.) The fact is, there is no system that is totally free from defects. No one-hundred-percent “bullet-proof” system can exist, simply due to the fact that a system is only as strong as its weakest point. There is no system in the world that is without weaknesses. One could not possibly be developed without unlimited resources to build, verify, and test the system.

Threats are certain incidents that exploit the vulnerability of a system. Threats can be natural (such as a thunderstorm or earthquake), environmental (such as temperature or humidity), or intentional (such as hacking or virus spreading).

Exposure refers to the damage that can be done if and when a threat successfully exploits the vulnerability of a system.

When there is a chance that a threat could exploit a system’s vulnerability, there is risk. In the field of information management, risk refers to the possible attack on an IS system by the threats made possible by its inherent vulnerabilities.

Risk includes the following properties:

• Risk cannot be totally eliminated.
  When a system possesses vulnerability, and it always does, there is risk.
• You can reduce the risk, but not completely eliminate it.
  However, risk can only be reduced by carefully planned countermeasures.
• You can deal with residual risk by insuring the system.
  We call this process Risk Mitigation.

Information Security Management is the art of dealing with risk using systematic and consistent management principles. This is not merely a technical issue—it is more likely a management issue. Therefore, Information Security Management is best achieved with the proper deployment of carefully planned corporate strategies to deal with Information Security risk.

Computer Security, Information Risk Management