Quantitative Risk Analysis in the Corona Era

Listen to the news and look around: Everyone else is running the numbers to make their decisions. Are you?

Today in Maryland…

Since May 1st, 2020, the State of Maryland has been averaging 1005 +/- 263 (1-standard deviation) new COVID-19 cases per day. Statistically, around 7% each day’s new cases will be dead in 10 days.

There is no shortage of threads to pull or rabbit holes to dive into with the numbers. Bear with me as I tug on one.


Of those 1000 per day new cases, some percentage are medical professionals — the doctors, nurses, EMTs, etc. Arguably, medical professionals are:

  1. The best informed regarding the transmission of the disease;
  2. The best equipped to defend themselves against transmission from individuals and environment; and,
  3. The most alert, with peer pressure, personnel health checks, and other reminders all around them to stay alert, plus a natural presumption that each new patient entering their perimeter is infected.

In spite of those three basic factors, some percentage will fall. It may be a single lapse in judgement or attention, it may be something assumed clear is dirty, or it may just be the virus beating the odds that one time ~ who knows? But it happens.

It’s on my to-do list to see if I can’t dig up those numbers, but in the meantime, it’s sufficient to know that there is a non-zero probability baseline: the most informed, most protected, and most alert do succumb with prolonged exposure in dirty environments over extended periods of time. That or they get back-doored, maybe during a relaxed moment in the break room, at the grocery store, or by a spouse or kid at home. Regardless, there is a non-zero probability of an event.

What does it Cost?

What does it cost the health industry — the hospital, the doctor’s office, the clinic, the fire station — if a specialist, doctor, a nurse, or an EMT is knocked out of the rotation for two-weeks? How about for life? And what does it cost the infected individuals’ families? We’ve heard about the outbreaks at nursling homes / assisted living centers; it’ll probably be some time before we hear about the impact of these events on the entire industry. How do you suppose disclosure of an outbreak at a hospital would affect public health and governance? How will each loss affect the individual families?

And for the Common Man?

Some presumably small percentage of those 1000 new cases per day in Maryland are medical professionals, but what about the rest? Today, in the middle of May 2020, it’s extremely unlikely that anyone is unaware of the pandemic or the mandated or recommended measures to avoid contracting or spreading the virus — and having been at this for more than two months, it’s likely they’ve been cognizant for at least two weeks. It’s not likely then that any recent day’s 1000 new cases were ignorant. So, what happened?

Assuming a “people are fundamentally good / we trust our community” model, we’d have to assume:

  1. No person would knowingly leave a safe space while sick, where any symptom would be assumed to be an indicator of infection until proven otherwise, and illness of a spouse, child, or another at home would similarly lock the person down until proven otherwise.
  2. No person would enter a space without assuming it was contaminated and no person would interact with another without assuming the other was infected, and therefore would take all appropriate protective measures.
  3. All people maintaining places where people gather, such as grocery stores, ensure that they and their personnel maintain themselves and their environment to inhibit the transmission of the virus between any parties.

So what happened?

  • Lapse in discipline? I forgot my mask. I’ll just rinse my hands. I was only in there for a minute. They were coughing but said it was just a cold.
  • Lapse in awareness, falling into old habits, not giving space, touching one’s face and everything around us.
  • Insufficient protective measures for the circumstances?
  • Lack of respect for others? Trust me, I’m fine ~ you have nothing to worry about.
  • Something else? Simply an accident? Maybe today it just got lucky?

Even when we are all on guard and acting with good intentions and a sense of social responsibility, it can still happen. What if we’re not all such model citizens? Either way, maybe it’s happening here a thousand times a day.

Comparative Risk?

For the last few years, Maryland has suffered a bit over 500 deaths per year from a bit over 100-thousand automobile accidents per year. That’s a 1/2% death rate from around 275 events per day (assuming they’re spread out evenly across the year). They’re presumably all licensed and have the same basic training. Everybody knows the rules and what they’re supposed to do in different situations. Most have had some years of driving experience and survive the trip without incident nearly 100% of the time. So, what happens? Lapse in discipline? Lapse in awareness? Not prepared for the conditions? Disregard of other vehicles? Something else? Simply an accident? Someplace they had to be in spite of the weather? Don’t worry, I’m good to drive?

We have licensing, education, restrictions, insurance, road maintenance, towing & repair, and enforcement apparatuses in place, combined with continuous improvements in engineering, to improve safety on the road — all presumably because we feel our economy depends on folks hopping in their cars. We’re willing to accept 500 deaths per year — a bit over one death per day on average — from 100-thousand mostly survivable accidents toward that end.

So, what if it’s one thousand events per day with 50-100 deaths per day?

Now You, Security Guru…

I mean, it must sound familiar, no?

  • Your perimeter is under relentless attack, both with and without cause, even if you’re no one special.
  • There’s a job to do, and there are varying degrees of assets from the commodity to the irreplaceable that must come together and be protected to accomplish that mission.
  • Your technical countermeasures may be about useless if your people aren’t trained, tested, and on their game.
  • Nothing may be more catastrophic than assuming something inside your safe zone is trusted.
  • You’re just one off-duty, guard-down lapse away from being back-doored.
  • You’re likely infected and doing significant damage for some time before you’re aware.
  • There is a non-zero probability that something bad will happen. They’ve happened to groups far more competent, better trained and provisioned, and more on alert than yours.
  • It happens whether everyone under our roof is trustworthy or not, whether everyone shares good intentions or not, and whether they maintain vigilance or not ~ sometimes if only because their best does not match your own as the SME and their personal risk models may differ from yours.
  • If your reputation is shot, your business may be done. Don’t ignore the intangibles in your asset and threat analyses.

Listen to the news and look around: Everyone else is running the numbers to sensibly guide their decisions. Are you?

You Know the Drill…

If you need help getting your Risk Management Process in place, underpinned with proper Quantitative Risk Management methodologies, visit the contact page and introduce yourself 🙂

Corona Virus and 2FA Fatigue?

As more people opt or are forced to work remotely, we’re going to learn a lot about our assumptions, policies, and technical controls surrounding the intersection of remote access and identity management. Already in social media I’m seeing rumblings of session expiration times, with users forced to pull out their phones to reauthenticate… well, that and VPN license limits and costs, but that’s a separate class of users. From the business users, there’s talk of finding ways to keeping network connections alive to avoid the timeouts.

Here’s where the temptation is strong for the security and admin folks to turn on one another in escalating one-upmanship. Hopefully some innovation comes out of it all.

In the meantime, some key areas of focus for you:

  • Assess: What users need access to what resources? From where and when? What is the impact if that resource is compromised? Do your policies and technical controls reflect that? Too loose? Too draconian?
  • Communicate: Ordinary users may not be aware of the business risks and even legal requirements that lead to these inconveniences. Power users may believe they know better. Make sure everyone is informed about why it is this way and make sure everyone is aware that there may be penalties for violations. Tailor the message as necessary. Just as importantly, listen: Pay attention to user experience, incorporate feedback, and periodically revisit your decisions.
  • Innovate: Identity and Access Management (IdAM) is non-trivial. It’s technically complicated, particularly when mixing web access, wired & wireless network access, server access, corporate-owned & BOYD assets, etc. One size rarely fits all. Policy engines that allow or restrict access from this type of device at this location to that asset in that environment between those hours are still rare items, and having all of your different types of devices and services honor those policy engine decisions is another can of worms. Policy engines that make the experience more seamless often do so at the expense of privacy, keeping tabs of your state and the state of your devices — knowing your physical location, your frequent IP addresses, your device IDs, your times of access, and so forth — and using that information to make decisions. Are you okay with that? In the end, decide how we can all do better. Push industry in that direction.

We’ll see where it all leads soon enough!

Lifetime Warranty: Data & Identity

Living in a neighborhood replete with tall, deciduous trees, when the opportunity arose I had “gutter covers” installed around the house. When once one of those tall trees decided to attack the house, I remembered the “lifetime warranty” that came with that installation. Sure enough, it was for the lifetime of that company, which — naturally — no longer existed.

There’s a bit of chatter around Twitter today regarding a decision to purge idle accounts. The details apparently aren’t firm yet, but the vagaries include “sometime next month” and “accounts that have no login in the last six months.” One of the voiced benefits: freeing up account names so they can be reissued.

Two angles appeared immediately:

  1. Identity Management. People and organizations have identity, reputations, and relationships linked to their names. When the names change, we start over, for better or worse carrying little if any notoriety between the names. Similarly, should someone move in and claim our names, they have the opportunity to claim our identity, our reputation, and our relationships. Sometimes it’s “Under New Management!” Other times, the havoc of identity theft ensues…
  2. Data Management. TOS’s and EULA’s be damned! When you place your data and communications into another organization’s hands, you are implicitly accepting the risk that your data will be lost, stolen, compromised, abused, used for purposes other than you intended, etc.; and you are implicitly accepting the risk that that access switch will be turned off without a moment’s notice. What now?

Yes, “what now?” indeed…

In the Twitterverse, I’ve seen the first “What about my deceased dad’s tweets?” questions. “I like to visit them from time to time to remember our conversations, but I don’t have a login to his account!” Extend this to every other data service that relies on a third party to accept, hold, and present data that means something to you: Facebook, Instagram, YouTube, email, blogs, websites, data storage, …; then remember that your rights to all of that are as thin as the clause that allows the provider to change the agreement at their leisure.

How about identity? I shared with you in a recent post seeing a text message from my friend that was actually from his wife, yes? When large numbers of our interactions are not face-to-face anymore, let alone in our own “voice,” we become quite comfortably conditioned to accept that email accounts, text messages, twitter handles, and everything else are natural extensions of the person or entity that we trust. (Conversely, it is easy to assume that an email account, text message, twitter handle, or anything else is not from an individual we trust if we have not previously associated them with the individual ~ but that’s a post for another time…) The bottom line? These chains of trust are often easily broken, and once broken they are easily exploited.

What to do? Well, in our perspective it boils down as usual to risk analysis. For each piece of data, for each service you use, ask what it would mean to you if it was gone or compromised. Do you have your cloud data backed-up locally in some intelligible format? Do you have the sensitive stuff protected even in the cloud? Do you have alternatives available to provide those basic services like group / family communications, email, instant messaging, and telephony? Are your peers aware of your plan and know how to fail over to the alternatives? Do you have methods in place to authenticate one another, verifying identities periodically and especially before discussing important matters when not face-to-face, so you know you’re communicating with the right person? Do you have a strategy to signal that the communication channel is not secure, to switch to alternative channels, or even to indicate on the sly that you’re in distress?

Some of that may seem far fetched. If so, good! Maybe you’re one of the ordinary folks who may never encounter these problems. The items are not in your threat modeling, or they are in your threat modeling but you estimate it’s extremely unlikely that you’ll be impacted catastrophically if it does. That is a completely reasonable outcome of thoughtful risk analysis. On the other hand, if any of the threats resonate with you and you haven’t given any thought to handling them, well, good! That’s also a completely reasonable outcome of thoughtful risk analysis, and now you know where to focus your efforts.

Our role? Helping people and organizations open their eyes to the possible threats — particularly those in their blind spots — and helping with remediation strategies where warranted. We make posts like these freely and communicate the same everywhere, and we offer to confidentially review your situation as a service. Take a stab at the exercise yourself, then contact us for an outside assessment.