Risky Business #191 -- Nuclear weapons security and infosec

Brian Snow joins the show to smacktalk risk-based security...
15 Apr 2011 » Risky Business

This week's show is a doozie!

We're joined by Brian Snow to discuss risk-based security. Brian, who was the technical director of information assurance for the NSA in the US, recently contributed to a security review of US Department of Energy Nuclear Weapons Facilities. (You can download the unclassified version of the report here for free with registration.)

The review sought to understand if Probabilistic Risk Assessment (PRA) methodologies could be used to improve the cost effectiveness of the DoE's security.

The review found that PRA is, in fact, not suited to managing risk in malicious environments. It's great for modelling likely failures of power supplies in data centres, but not so good at modelling attack scenarios.

Basically it boils down to the fact that it's impossible to assign a likelihood to an unknown attack.

So how on earth did risk-based security become the "standard" way of doing things in the enterprise? What use is a risk register if high-impact, low-likelihood adverse events can't be reliably quantified?

Brian joins us to discuss. It's a corker interview.

Adam Boileau joins the show for this week's news. He seems especially keen to sing CA's praises this week. Metstorm <3's CA. He even has CA pyjamas. I've seen them.