04 August 2013

Cyber Risk: Human Factors vs. Automation...

Operational Risk Management (ORM) is a growing multi-faceted mosaic comprised of people, processes, systems and external events.  The risks to the enterprise are increasing at a dynamic speed and trajectory that requires the use of automated tools.  This is where risk to the enterprise may actually expand as executives and operational management rely on software to provide information assurance.  The design and architecture of software needs a human-based fail-safe.  It requires a human interface that allows and simultaneously requires human intervention.  Has too much automation contributed to our increased levels of vulnerability?

Fortunately, the software designs have allowed for these opportunities for a human-factor to ask "What if" questions.  Those questions that may arise after an automated alert from the system tells us that something is outside the baseline parameters set for the system, the sensor or the alarm.  Now we go back to Operational Risk and the nature of thinking from a security and safety perspective.  What is the continued reliance on automated systems doing to the human capital who have been charged with the over all "Standard of Care" for the enterprise?  We believe that they may have lost the ability to ask the right questions, at the right moment and with the correct contextual understanding.

What is the truth?  Is it true?  What evidence do we have that this is true?  How do know that the evidence is not spoiled or compromised?  If we know the truth, then what do we do next?  Is the software telling us the truth?

The security and the safety of the enterprise is counting on you.  And more importantly, the enterprise is asking you to question the software.  The "rule-sets" that you have chosen as a result of the programmers and architects decisions can no longer be trusted.

Sixty-four percent of organizations attacked in 2012 took more than 90 days to detect an intrusion with the average time for detection being 210 days – 35 days longer than in 2011, according to a report released earlier this year from data security firm Trustwave.
Five percent took more than three years. 
The Weak Link
Especially unnerving is the widespread success of SQL injections. Remote access and SQL attacks, the tool of choice by hackers in the scheme unveiled last week, together made up 73% of the infiltration methods used by criminals in 2012, according to Trustwave.

“This is not anything new for people in the space, it’s an old approach that has been used for decades,” said Dov Yoran, co-founder and CEO of malware analysis and threat intelligence firm Threat Grid. “And it's only going to grow as these systems get more complicated." 
Some industries have been forced to adapt and alter faster than others due to the high level of attacks, particularly U.S. banks like J.P. Morgan Chase (JPM) and Bank of America (BAC), card companies like Visa (V) and MasterCard (MA) and retailers that have a more direct line to cash. 
Nearly a year ago DDoS attacks in September temporarily downed the consumer websites of some major U.S. banks. But a fourth wave of attacks declared last week against some of the same victims has so far proven uneventful.
Is our system learning?  In what capacity is the system learning in context with the human interaction for judgement, intuition and ethical emotions?  Are you with us?  The next generation of "Cyber Security" Innovators are now at the edge of significant new breakthroughs and solutions.  "Active Defense" is a controversial topic du jour, yet the next few years will be a new age of understanding, cultural bifurcations and significant global collaboration.  Our entire platform of digital trust is at stake and the conversation has finally made its way to the nation state policy levels.

Operational Risk Management (ORM) will remain a key factor in decision points for the enterprise, the consumer and the operators of critical infrastructure across the globe.  Lets work on keeping the human factor in the loop as automation continues to give us a false sense of security and safety.

No comments:

Post a Comment