- Optimize Exposure: attack surface and vulnerabilities, including assets, people, processes, & technologies
- Effective Threat Intelligence: understanding the threat agents
- Effective Design & Development: security & privacy by design
- Quality of Protection & Controls
- Effective/Efficient Execution & Operations
- Effective Response, Recovery, & Resilience
- Effective External Engagement: responsibilities and risk drivers
- Effective Learning & Agility: OODA at an organization level
- Optimize Total Cost of Risk: (loss distribution approach)
- Responsibility & Accountability: including governance and compliance
Here is are the slides of the diagram, built dimension by dimension.
These posts might be especially interesting to folks who engaged in any of the Cyber Security Framework processes now underway in the US (NIST), EU, or the UK.
(Comment: I acknowledge that this framework is a bit complicated. My friend Jack Whitsitt (@sintixerr) has suggested that we need "crayon version" because anything more complicated will just confuse people. I concur, but I may have to flesh out this complicated version before I can get to something as simple as Plan-Do-Check-Act.)"
AimThe aim is to promote agility, encourage capability maturity, and promote rapid innovation across the ecosystem. It is designed for managers, executives, and governance bodies.
FoundationsThis framework is based on the Balanced Scorecard concept, augmented with ideas from Enterprise Risk Management, Total Quality Management, Organization Science, and even Biology (e.g. human immune systems).
DefinitionsBy "cyber security" I mean the confluence of information security, industrial control security, privacy, identity, and digital rights, along with civil liberties and national/homeland security in the digital domain. (I need an umbrella term and this is the best I can find.)
By "performance" I mean results that can accomplished that are (mostly) under defender's control, even in the face of a rapidly-evolving landscape of threats, technologies, and socio-economic-political conditions. While "outcomes" will be determined by the stochastic processes and strategic behavior of adversaries, I argue that "performance" can and should be the focus of management.
"Performance" is not merely the sum of cyber security activities executed in an organization. In my opinion, existing frameworks focus too much on tasks, activities and practices -- e.g. "identify threats", "keep software patches up to date", "prioritize controls based on risk assessment", etc. This can lead to a belief that cyber security is merely the accumulation of activities and that "good cyber security" is some static goal or state. This belief is wrong-headed if our goal is agility and innovation. What's missing from this static view is the "why" for each task, activity, and practice, and especially how they all work together to promote agility, capability maturity, and innovation. Here's my proposed definition:
- "Cyber security performance" -- systematic improvements in an organization's dynamic posture or capabilities relative to its rapidly-changing and uncertain adversarial environment.
Consider the case of vulnerability patching/fixing. By itself, I'd call it a set of activities and practices. Let's say an organization found and fixed 15 vulnerabilities in a month. That is clearly activity, but is that "performance"? Most teams rank and triage vulnerabilities based on "criticality" and maybe also age, because fixing the most critical vulnerabilities is thought to contribute most to improved informations security.
But I would argue that, alone, finding and fixing vulnerabilities do not yield "systematic improvements" as per the definition above. What about the sources and root causes of those vulnerabilities? What about vulnerabilities that have not yet been discovered? And how should vulnerability finding and fixing be balanced against other tactics and strategies, e.g. "moving target" defenses? As Peter Drucker said:
"Efficiency is about doing things right. Effectiveness is about doing the right things".Therefore, every activity related to cyber security needs to be evaluated against its overall effectiveness. To aid in this, I think its useful to distinguish between capabilities and associated performance dimensions.
"There is nothing more wasteful than becoming highly efficient at doing the wrong thing."
Measuring Performance Across Ten DimensionsCyber security performance is a characteristic of the system as a whole. Capabilities interact with capabilities systematically to deliver cyber security performance. Therefore, if we can define the general capabilities we need and how they interact, we should be able to define and measure cyber security performance.
As listed above, I'm proposing ten capabilities which can be measured as performance dimensions. Why ten? Because I think cyber security is too complex to be reduced to any fewer dimensions, and I can't see the value of adding more with finer distinctions. I'm arguing that these ten dimensions are both necessary and sufficient to manage the full scope of cyber security in nearly every organization or network of organizations. In simple language, you can't leave out any and these are all you need.
Again, each of the ten dimensions will be explored in subsequent posts.
Finally, I will be proposing a performance index each dimension. It will use statistical inference to combine evidence rather than simple arithmetic to combine sub-metrics. I'll explain this method in a separate blog post.
(Edit 7/1/2013: Modified order of ten dimensions, plus modified a few titles. Still a draft.)