This ties in very loosely to the physical security project. Perusing a book on network and communications-systems security for an unrelated project (Threat Modeling: Designing for Security by Adam Shostack) we discovered a few concepts worth lifting and sharing.
The lift is from his Chapter 9, and it addresses something that bosses and managers seldom “get” about threats: once you’ve figured out what your threats are, you need to figure out how to mitigate each one. And each mitigation has certain trade-offs involved; in fact, the title of Shostack’s Chapter 9 is: “Trade-Offs When Addressing Threats”. He suggests you make a matrix or table with each threat listed along with your mitigation strategy, when you execute that strategy, and how.
The three questions to answer about each threat are:
- What’s the level of risk?
- What do you want to do to address that risk?
- How are you going to achieve that?
He identifies the Classic Strategies as:
- Avoiding Risks
- Addressing Risks
- Accepting Risks
- Transferring Risks
- Ignoring Risks
Avoiding risks is not always possible, but you might decide, for example, not to do something if the risk is greater than the reward. For example, you can avoid the risk of burglary by not owning anything of value, or keeping all your valuables in a safety deposit box. But you can design to avoid certain risks.
Addressing risks means making design or operational changes – doing something to forestall the risk. For instance, if your neighborhood is at risk of smash-and-grab burglaries, you can harden your doors and windows and add an audible alarm. If you’re at risk of being mugged, you can carry a gun (well, in some places you can. Sorry, Chicagoans).
Accepting risks means you accept all the consequences of the risk coming to pass. This is best used when the risk is both highly improbable and rather inconsequential. It’s also sometimes necessary in combat. For example, the Navy SEAL element deployed as a reconnaissance and surveillance patrol on Operation Red Wings went in accepting the risk that if they were compromised, they were in deep doo-doo. They addressed that risk also, or tried to, with communications and backup. They also accepted the risk that if their QRF was interdicted (as it was, in the end), they were not just in deep doo-doo but in over their heads. As they were, in the end. But you have to accept some risks. If your risk analysis concludes you have avoided, addressed or transferred all the risks, there’s a high probability that you’re actually ignoring a risk you haven’t considered (see below).
Transferring risks is what happens when you fob a risk and its consequences off on another party. For example, GM with its faulty little Chevies transferred the risk to the motorists who bought one (or really, rented it, ’cause who buys those shitboxes?) The trial lawyers of America are salivating at the prospect of transferring the consequences of the risk back to GM.
Ignoring risks is the default position, and what it defaults to is unconsciously accepting the risk. This can take place by denying the risk, or recognizing it but trying to keep it secret (“security through obscurity.”) While obscurity can add an additional veil to any security posture, it’s far too weak to depend upon as a stand-alone method.
This book illustrates how almost any literature on safety and security has something you can take away from it for your own personal purposes. Much of the book is specific to hardening your network protocol stack against bad actors, protecting against spoofing, tampering, repudiation, information-disclosure, denial-of-service, and elevation-of-privilege threats (the STRIDE that network security weenies worry about). Some of those things have zero application to meatworld. But those that do, do, and reading outside your own comfort zone, or at least outside your area of greatest familiarity, can often kick free some unexpected ideas. Another concept from the book that might be a good example of something transferable to protecting you and yours, is the elaboration on the use of Bruce Schneier’s concept of attack trees in Chapter 4. That’s a post for another day, and Shostack’s discussion (and Schneier’s) are probably too academic for the individual looking to protect his family, home or business. But it’s an example of what you can find when you look beyond the bookshelf at Gun-Mart.