Risks, Threats & Vulnerabilities: Snowball Lessons

I have some of the greatest and most illuminating information security and privacy discussions with my 7- and 9-year old sons. Their inquisitiveness and curiosity is unlimited. Their minds are open and ready to soak up everything around them, and to openly question those things that they do not understand, or challenge concepts with which they do not agree. It is too bad that most adults have lost these traits. It is too bad that too many parents and adults with responsibilities for children have squashed these innate qualities in young children instead of helping them to use those traits to blossom and develop into thoughtful, critical-thinking adults.

My sons are very interested in what I do, and since I have the opportunity and fortune to do most of my work in my home office I am thankful to be able to spend a great amount of time with them. They each have their own notebook computers and have been working on computers since they were 2…without any suggestion or encouragement from me. Children are great emulators of their parents, so it seems most of what I do they also want to do and learn about.
I allow my sons to participate in some online virtual reality sites. Don’t worry, I checked them out pretty thoroughly. There were many sites I disallowed…and many I contacted to let them know they did not appear to be following the COPPA requirements and that they should address them, or the FTC would be interested in knowing they weren’t meeting the requirements for protecting children’s privacy. I always look at the information security and privacy policies and other related information at these sites with my sons. I love doing analysis with them; they are great at doing “what if” scenarios.
Something that they have been intrigued with is how some of the sites discuss or reference “risks,” “threats” and “vulnerabilities.” Many of the sites use these terms incorrectly, which has led to some confusion for my kids, and so we’ve had long discussions about these terms and how they relate to their everyday life.
A good opportunity presented itself last week. We’ve had around a foot or so of snow on the ground here and some 0 degree range temperatures, so when they go to school they are bundled up, but at the end of the day when they are waiting for the parents to pick them up, the kids will often wait for 5 to 10 minutes outside. On Thursday when my son, Heath, got home he was upset. He was waiting outside, probably around 25 – 35 feet from the building, apart from the other kids, looking across the field because he thought he saw some deer in the woods. All of a sudden, WHAP! A snowball hit him in the face. He looked up, and further down the hill from where he was from the school building he saw, through long wet lashes and foggy vision, the resident onery kid in his class, Jared. Laughing. Patting another snowball together. Looking at my son. He threw another snowball at Heath. Heath saw it coming and dodged it. Then Dad arrived and he and his brother Noah came home. Heath told me was upset. He didn’t know Jared well, and he didn’t understand why he would throw a snowball at him. We had a long discussion about this, and eventually it led to a very good discussion about dealing with threats, vulnerabilites and the resulting risks at school. We talked about how these were similar to the risks, threats and vulnerabilities within his online communities.
We analyzed the situation. Heath and Noah love doing this…it leads to a lot of their “what if” scenario discussons. It also helped them understand the vulnerabilities, threats and risks within their online communities.
Here is some of our analysis, most of which were suggested by my sons…
* The primary threat Heath faced while waiting to be picked up after school was Jared, the snowball-throwing maniac. Of course there were other threats in waiting to be picked up outside the schoolhouse, but this was the most preeminent threat they identified.
* The vulnerabilities involved with the snowball-wielding Jared threat included those situations allowing Jared to exploit his snowball-throwing finesse to smack a kid in the face with a stinging frozen snowy fastball, including:
1. standing outside the building instead of staying inside;
2. standing away from others while outside;
3. being too far from the teacher;
3. not paying attention to where Jared was at;
4. becoming engrossed and focused upon one thing (deer in the woods) and not knowing what else was going on around you.
* The risks of getting hit in the face with a snowball were a result of considering the likelihood of the threat exploiting one of these vulnerabilities:
1. being outside created more risk than staying inside, because that’s where the snow was, and after all, snow was the material used for the weapon;
2. being away from a group of the kids increased the risk, because it left him as a more clear target;
3. being away from a teacher increased the risk even more, because then rascal Jared would have very little fear of getting caught, or accidentally hitting the teacher;
4. not knowing where the threat (Jared) was increased the risk further;
5. and not being aware of the surroundings made the risk most grave since unawareness of surroundings and environment opens you up to almost anything bad possible happening.
How likely were the risks? Can we assign a number or probability to these risks? While we could scale the likelihood when taking into account the different vulnerabilities/threat scenarios, there is no way we can assign an accurate probability; there are too many other variables, constantly changing, that will impact and change the risks on a day-to-day, and even hour-to-hour, basis. However, knowing the threat and the various related vulnerabilities, Heath decided he will be able to help avoid (reduce the risk of) a snowball in the face again by taking some simple measures. Staying inside the schoolhouse would virtually eliminate the threat; but that would not be as fun as being outside. So, he was willing to take some risk to enjoy the outdoors and being with other friends. When outside, Heath could stay close to the teacher, or within a group of other children, to keep him from being an easy target. And in any situation, it would be good to know where Jared was at, since now he knows he needs to keep his eye on him!
A big problem is that many business leaders, along with too many information security folks, want to know exact figures and probabilities for the risks resulting from identified threats and vulnerabilites. I certainly understand their desire for such numbers; they are used to working with numbers (revenue projections, employee expenses, budgets, etc.) and they want to be able to quantify information security safeguards in the same way…it seems logical to them. Unfortunately their common lack of understanding of threats, vulnerabilities and risks leaves them thinking risks can be accurately and consistently quantified.
Another problem is that too many info sec folks go straight to the Risk = Threat x Vulnerability x Value formula when discussing information security risks with business leaders. This formula can certainly be very helpul to the info sec and IT areas to help prioritize their activities, such as deciding when to apply patches and so on. However, by trying to explain vulnerabilities, threats and resulting risks right off the bat, and often only, by referencing this, or a similar, formula, it immediately presents information security risk as numerical calculated terms to your CFO, CEO, and other CxOs who do not have a background or in-depth understanding of these concepts from an information security perspective. Before the info sec pro has explained these concepts clearly and successfully, he or she is showing a mathematical equation, setting the stage for the CxO to think now that info sec issues can all be looked at in terms of numbers, probabilities and formulas.
Instead, info sec pros need to first cultivate a good understanding of what vulnerabilities exist within their organizations by providing ongoing awareness and training to their business leaders. They need to cultivate a good understanding of what threats exist to their information and processing resources and provide ongoing awareness and training. They need to discuss how threats and vulnerabilities combine to create the information security risks that exist within the business on an ongoing basis in every opportunity. They need to use scenarios and examples that their business leaders have experienced, understand, and can relate to. Too many info sec folks talk in info sec terminology that might as well be Greek to your CxOs. Always communicate from the perspective of your audience and according to their responsibilities and expertise.
Too many info sec folks also fret and worry about these communications, take too long to create communications, and then put out something incomprehensible, confusing…or end up doing nothing at all because just trying to create the communications made their head hurt too much. But all communications do not need to be formal. Of course you need your documented, formally delivered communications, and need to follow a well planned awareness and training program. However, also take a minute here and two minutes there to bring up a topic and discuss how it impacts your company when you see your business leaders in the elevator, in the cafeteria, in the gym, waiting for a meeting to start, in the lounge, walking to the building…whenever! Describe how recently publicized incidents relate to your organization. Describe how a schoolyard incident relates to your business.
After discussing snowball risks, a day or two later my sons and I were at their desks and talking about the security-related information on the various sites they go to, and if it was accurate or missing some information. In in the middle of this, during a pause while looking at a “cool neo-pet” Noah reflected. “So viruses are threats,” he said. “And that’s why we need anti-virus software, because we…er, our computers…are vulnerable without it while we’re on these sites, and the software helps to reduce the risks of having the viruses do bad things to our computers.” Correctimundo!! Very good!
I wish some concepts were soaked up and internalized as easily in some adults.

Tags: , , , , ,

Leave a Reply