The next 50 years of cyber security.

Making our risks as quantifiable and predictable as the weather.

  1. A lack of classification methods around the root causes of breaches.
  2. A lack of transparency into the root causes of data breaches.
  3. A lack of probabilistic methods for those who practice cyber security.

Risk measurement limitations are holding us back.

Can we “solve” cyber security with a focus on efficiency?

  • Modern epidemiology brought countless innovations. Doctor visits increased lifespans instead of signaling an imminent death.
  • Henry Ford’s obsession with production line efficiency ushered us into a modern age of manufacturing.
  • Meteorology’s big gains began around 1950 when quantitative forecasting met increasingly robust and organized measurement capabilities.

What does it take to start a similar “50 year” effort?

How would this change a security strategy?

We’re missing something. It is a beast with many names.

Why aren’t we measuring ourselves like other industries?

Security teams operate far too differently from one another.

  • “Compliant”. Religiously following prescribed rules / regulation.
  • “Customer first”. Prioritizing / satisfying customer checklists.
  • “Standards based”. Embraces an industry maturity model or standard.
  • “Threat driven”. Practicing threat intel and prioritizing adversary goals.
  • “Reference organizations”. Be exceptional upon comparison to others.
  • “Detection first”. First class detection allows more lenient security.
  • “One of everything”. Never be accused of negligence.
  • “Metric Driven”. Picking metrics as proxies for “risk” and reducing them.
  • “Chaos” or “Iterative”. Constantly breaking, observing, and fixing.

There are 3 things we need to move ourselves forward.

1. Classification language for root causes of a breach.

I took a stab at root cause classification: The Blockchain Graveyard.

Blockchain Graveyard Estimations

Other industries demand proper incident classification.

There’s plenty of optimism around classification.

2. A root cause must appear in data breach notifications.

Incidents and the circumstances that caused them are going into a black hole every single day.

“Given that we’re in the tax preparation industry, our baseline probability of a W2 related breach is 18% annually.

Our forecast, given our preparations, reduces that to 9%”

Nuclear regulation provides centrally accessible root cause data.

Root cause information for a minor nuclear incident… yesterday.

3. Security efforts must require a probabilistic result.




Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store