So, I said I would do a “Risk Analysis” of Trump’s executive order using an actual risk framework to prove the order was dumb and where/why/how it was dumb.  Here it is! I used FAIR! (Note: I used a single data point here, because that’s all this analysis needed – I just go through control relationships and impact types mostly – but despite the snarky tone, the analysis is legit and if someone runs with this and fills in all the factors with actual numbers, that would likely be a fun exercise – I’d love to see what the actual estimated ALE is.)

In FAIR (Factor Analysis of Information Risk), the expression of risk is in the form of the “Probable frequency and magnitude of loss” due to a weakness. It is a useful model for many things, including identifying whether a perceived weakness is actually a weakness in terms of your own appetites and, interestingly, what effect controls have on your risk and how they affect each other.

I’m not going to introduce the whole model here and lot of this is paraphrased, so a quick overview is probably helpful. If you’re not familiar with FAIR, start with Risk Lens’ “FAIR on a Page”  (it’s also an open standard, which you can read about at the Open Group’s website).


Moving on:  In the model (an ontology, see above), you have a “Loss Frequency” measure and a “Loss Magnitude” measure. Each of those measures is determined by a number of factors. These factors include things like “Threat Event Frequency” and “Vulnerability”. Each of these factors are themselves composed of other factors (e.g. “Contact Frequency” and “Probability of Action” combine to estimate “Threat Event Frequency”).

On the right side of the ontology, “Loss Magnitude” is split into “Primary Loss” (costs that happen every time a threat event is successful) and “Secondary Loss” (costs which could occur for a subset of Loss Events and which come from impacts to other stakeholders not accounted for in Primary Loss). Think: A bank loses customer data and has to do incident response (primary loss) and sometimes must also provide free credit monitoring to those customers (secondary loss).

While this model is clearly geared for “information security”, it’s actually pretty useable for reasoning through other “risk” scenarios.

For instance, why is the Trump executive order on banning immigrants….dumb? Can we express this clearly and show the interplay between factors that gets us to “dumb” in a rational way? Yes! Ill walk you through it! Refer back to Risk Lens’ “FAIR on a Page” if you need to:

The first thing we need to do is determine threat event, threat community, loss events, and assets. Based on the executive order, we can say this:

  • Asset: US interests inside its borders
  • Threat Community: Anyone from one of the 7 countries
  • Threat Event: Attempted Terrorist Attack inside US borders
  • Loss Event: Successful Terrorist Attack inside US borders
  • Secondary Loss: The consequences and responses to a successful terrorist attack inside US borders (this is important)

So, with that said, let’s run through the ontology:

1. Loss Event Frequency: None. We have never experienced any successful attacks inside US borders from this threat community here and there’s no evidence to think it will soon. “0 Loss Events” x “Any magnitude of loss” = “No Loss, No Risk”.   Normally, if we just wanted to know the immediate and probably future risk, we could stop here: We know how often loss occurs and we know that an executive order cant reduce “0” any further. But we also want to examine what could change and if the executive order will help manage THAT totally speculative future problem, so we will look below the surface to…

2. Threat Events (Loss Event SubFactor 1): Because Loss Event Frequency is so low, it doesn’t really matter how often folks TRY to cause loss if theyre rarely successful (NO control can keep the level at “Never successful”). But perhaps of Threat Events go up enough, we will experience a noticeable increase in Loss Events? This makes sense…but to understand whether this will happen and whether the executive order will help, we have to understand the two Threat Event Factors:

A. Contact Frequency (Threat Event Subfactor 1): How often is the threat community in contact with US assets in the border? Pretty often! We have lots of folks from all over the world in this country. Trump’s Executive order keys in on this factor in particular. If we reduce contact frequency, we will reduce the number of threat events, which will reduce the number of loss events! (From..again… “0” to…less than 0?)

But wait:

B. Probability of Action (Threat Event SubFactor 2): We do have a Threat Community that comes in FREQUENT contact, but they rarely, if ever take action. In fact, given how high the contact frequency is vs successful threat events (ie, loss events), we can say the Probability of Action is VERY low (if it weren’t low, we’d be seeing more successful attacks) – so low that, unless something changes to increase probability of action, we are at very low risk from this threat community (remember this for later: What could change the probability of action?)

3. Vulnerability (Loss Event SubFactor 2): Ok, so…that’s Threat Event Frequency…. What about our Vulnerability in the face of Threat Events? Maybe theyre trying a lot and just not successful? If that’s the case, then Trump’s executive order STILL doesn’t have an impact, because it attempts to control for “Contact Frequency” and does not affect either of “Vulnerability”’s two factors: Required “Threat Capability” and “Resistance Strength”. The Executive order doesn’t increase the tools/skills needed by bad guys and it doesn’t make our Assets (people, infrastructure) particularly more resistant to attacks in the fact of someone who chooses to take action. We MAY be able to improve this, but Trump’s order doesn’t speak to it and given the low Loss Event Frequency it probably isn’t necessary for this Threat Community

There we have it: Loss Event Frequency – very low and Trump’s order doesn’t really speak to it anyway. What about Loss MAGNITUDE? Here is gets interesting:

1. Primary Loss Magnitude: This is what the immediate aftermath of an attack would be for the US. If anyone gets in and does damage, Trump’s order does nothing to minimize that magnitude or impact. Once it happens, it happens. Having a smaller Threat Community doesn’t make the pain or cost less later. So this is a null factor.

2. Secondary Loss Frequency and Magnitude:  Woah! :) Here we have a problem. Because it turns out Trump’s Order IS A SECONDARY LOSS in FAIR terms. It is a RESPONSE to prior terrorist attacks. Because we were attacked, someone used FEAR (not rationality) to justify keeping folks out of the country. Families. Children. Scientists. Injured. It was insensitive to entire nations of people who were Not already likely to take action (based on the Loss Event Frequency analysis). But, what happens if you find your son or daughter couldn’t get medical treatment because of this? What happens if you find your family split up over this? What happens if your radical organization can turn to you and say “Look, we were right, these people are assholes and don’t want you”? What happens is THE PROBABILITY OF ACTION INCREASES FROM NOT ONLY THE ORIGINAL THREAT COMMUNITY, BUT OTHERS. In other words, people otherwise unlikely to take action before are angrier as a result of trumps actions and are now more likely to act against the US, thereby increasing future primary and secondary losses.

Summary (in case it wasn’t clear):

  1. Trump’s order does not minimize our vulnerability
  2. Trump’s order reduces the “Contact Frequency” of a threat community who has never been a demonstrated source of losses to the US internally
  3. The only significant impact on US risk that Trump’s order actually has is that it likely INCREASES the probable future frequency and magnitude of loss to the united states (it’s risk) by increasing the probability of action factor without affecting the others either way

Conclusion: After a FAIR Risk Analysis of Trump’s order, it turns out it was indeed DUMB.


Someone today asked me about CISA.  The truth is, I’ve stopped paying attention. Everyone, just shut up and pass something so we can move on.  But, I do have perspective that might be relevant: I’ve spent the past 12 years in infosec, including doing threat analysis, have spend the past 8-ish years in Critical Infrastructure, have been a government operational incident responder to the private sector with access to super secret info sauce, have helped build a strategic government pubic/private partnership program, worked with a number of ISACS, and have worked in a non-profit ISAO-like environment.  Here’s what I think:

A long time ago, in a galaxy far too close to here, a bunch of techies, not in sufficient control of the business and other environmental factors to influence the cybersecurity exposure business was creating or suffering from,  said: “We need better, actionable information to succeed!”.  This was both sexy-tech driven and a last-resort.  If the business was leaving the doors and windows open, the “defenders” (heh) needed to know as much about their adversary as they could.

At the same time, businesses, finding they were becoming more and more on the hook for serious adversary conflict  (as opposed to automated worms) tried to offload their responsibilities to the government.  Lack of “Information Sharing” was a really convenient roadblock to partnership. “Hey, look, gov, we’d really like to help, but you’ve got all this awesome intel that you won’t share, how can WE do anything? YOU should!”.

Government, having its own interests, was also looking for more data because, essentially, most of theirs was limited or sucked or wasn’t useable.  At the end of the day, cyber conflict is occurring on private infrastructure – the government infrastructure either being tangential to the discussion at hand, handled internally, or a peer infrastructure the private critical infrastructure (i.e: The internet is the internet is the internet and its all a common geography of conflict).   So they said (and, for what it’s worth, largely truthfully): “We can’t send you information if you don’t send US information! How can we know what’s actionable for you?” The fact that they might have their own uses for the information was tangential to this roadblock/truth.

This was *exactly* what industry hoped would happen!  Industry, having done this in the past with other non-cyber information sharing, knew this would stymie everyone for awhile: Competitive disadvantages, risk of prosecution for what they shared, inability of government to release classified information effectively, and the biggie – risk of regulation!

So at this point, we had:

Techies going: “Mmmm..Info Share! Sexy! We want more info! Wait, actually reduce exposure? That’s no fun, and besides, that’s really out of our control – business people suck at making decisions”

Industry: “Sweeeeet. This techie cry for Info Sharing is cool! It’s something that looks like low hanging fruit that we can use to block cyber interaction with the government indefinitely”

Gov: “Hmm. Cyber is scary and we have little to no visibility and we’re on the hook to help without (for the most part) regulation, we need information to better conduct conflict and apply game theory to international relations! We need to get industry to trust us and give us all their bits!”

Given the long history of the government ROYALLY screwing up trust relations with industry, this stood for years as a happy-medium-quagmire with everyone taking pot shots at each other from across entrenched positions.

But wait!  Suddenly it actually got serious – the MEDIA started running away with cyber? Can those Chinese kids take out the power grid? OMG! (Note: I actually think the risks from cyber conflict are potentially VERY severe, but these are not the SAME risks as the ones Media got hold of).  And suddenly, congress, who KNOWS where it’s risks come from – bad political coverage by the media forcing uneducated people to vote or clamor for some MEME-OF-THE-DAY – got involved.

Congress: “Gov, Industry, Techies? What do we need to do CYBER better?!!?!?”

All: “Informaaaatttiion Shaaaarrrriiinnnnggg…”

And now, Congress has it, and everyone has lost COMPLETE sight of the fact that, at best, information sharing is a MATURE and DIFFICULT capability that results from mature organizational awareness and decision making and will, again at best, help catch the EXCEPTIONS that are not handled by mature organizational decision making, and will do little to NOTHING to reduce cybersecurity risk exposure or to reduce the escalating cost and complexity of the problem over the time.  Instead, it will help better execute/conduct conflict in cyberspace, satisfy techies who want to play more complicated games and solve more interesting problems, and leave the governments involved without any real position change in their ability to apply game theory strategically to cyberspace.

(NOTE ABOUT THE BELOW: This post was more about the history of information sharing driving these types of bills. My comments below are much less informed)

Does CISA trample on rights and privacy? Maaaaayyybee – Probably not…this is an old discussion that wasn’t completely initiated by government.  It may have secondary cascading effects, but I don’t believe that’s the primary motivation for it (or even A motivation).

Do I want them to pass it? Well, the government has shown it is PERFECTLY WILLING to try and get this information by other means, so….are we really losing anything? If nothing else, if we pass AN information sharing bill, at least there’s an increased possibility everyone will be able to finally share the Information that the Info Sharing Emperor Has No Clothes?

Since I first posted about my EnergySec class a year ago, it’s evolved quite a bit.  In that time the agenda and topics have evolved as well, so I thought I’d share the present content structure here.  Interested in coming? We only have one more this year, but more are coming next year and Im happy to do custom work in your town!  Check out the current outline here:


Theory, Application, and Frameworks

 Problem Space Definition

  • Cybersecurity Scope & Ecosystem
    • What is “Cyber”?
    • Broad Stroke Scoping of Cybersecurity
      • Risks-To vs. Risks-From
      • Technology vs. Humans
      • Risk Response vs. Quality Management
      • Tactics vs. Strategy
      • Protection vs. Enablement
      • Default Handling vs. Error Handling
      • Doing It Once vs. Doing It Consistently
      • Predictable vs. Emergent State
      • Defending vs. Improving
      • Compliance vs. Efficacy
      • Fact vs. Perception
      • Virtual vs. Physical Space
    • A Parasitic Model of Cybersecurity
      • Value Competition
      • Shared Infrastructure
    • Adversaries
      • Shared Attributes
      • Complex Goals
      • Adversary Classification
      • Attack Mechanics and Architecture
      • “Exploitation Opportunities” & Kill Chains
  • State of the World
    • The Bear Has Eaten Us All
    • Demonstrative Real Life Scenarios
    • Bottom Line and Regaining Control
  • A Problem Space Framework
    • The Forest
    • Thesis
    • History
    • Role of InfoSec
    • Problem Spaces
      • Global
      • Body Politic
      • Business
      • Organizational
      • Individual
      • Nature of Risk

Skills Development 

  • Effective Structured Communication
    • Purpose of Frameworks
    • What is Communication?
    • Perspectives
    • Contexts
    • Lenses
    • Inverse Perspectives
    • Using Intersectionality
    • A House Analogy
    • Conceptual Communication Tools (Summary)
  • Intentional Framework Design
    • What are “Frameworks”?
    • Structure vs. Content
    • Structural Framework Design Principles
      • Labels
      • Relationships (Ontologies)
      • Transformations
      • Modularization & Abstraction
      • Lensing
      • Life-cycles
  • Modeling Exposure
    • How is Exposure Generated?
    • New Concept: “Vulnerability Introduction Point Decisions” (VIP’s)
    • Modeling Vulnerability Introduction Point Decision Trees
    • Comprehensive Model of How Organizations can Introduce Vulnerability
    • Threat Modeling Using VIP’s
    • Technical Threat Modeling Translated to Full System Threat Modeling
  • Increasing Decision Making Capacity
    • REAL Defense in Depth
    • Creating a Defense in Depth Kill Zone
    • The Problem with Likelihood: Supply Chains
    • Kill Zone Management Concepts
      • Success Criteria help define
      • Metrics which apply
      • Levers to create
      • Control Specifications that use
      • Convergence of
      • Parenthetical levels of security to manage the
      • Dissonance of human systems 

Solution Approaches

  • A Framework for Organizing Solutions
    • Environment
    • “How Exposure is Created” & “How Exposure is Exploited”
    • Exposure Management Goals
    • “Exposure Management Approaches” & “Exploitation Handling Approaches”
    • “Exposure Mgt Efficacy Testing” & “Exploitation Mgt Efficacy Testing”
  • Integrating Existing Frameworks
    • Background Definitions
      • Risk Management
      • Capabilities
    • Existing Framework Information
      • NIST CSF
      • ES-C2M2
      • NERC CIP


  • Framework Structure Design
  • Framework Use for Control Specification
  • Pivoting between Risk and Compliance with an ICE

Ill have a longer discussion of SIRACon later, maybe, but for now, you can find my talk slides here:



Some of it is old material, but some of it is new. I really like how it’s fitted together and ordered here.

A couple of people have asked me to clarify what I mean by Sieges (and parasites) in terms of the first Siege post and the subsequent strategy/problem space framework post. Here’s a quick email I wrote that might help:

Sieges and Parasites:

From a collective non-aggressor entity perspective, cybersecurity “conflict” is functionally a siege of the collective environment: Non-combatants trying to maintain a minimum level of survivability while they’re surrounded, being drained of resources, and lack sufficient environmental influence/position to make effective risk decisions.

Compare/Contrast Siege and Parasitic Environment as conflict types to: crime, espionage, battlefield warfare, natural events.  These latter tend to be incident/event driven, where the risk and responses to a siege are more environmental over time, with incidents to individuals happening but being largely irrelevant except as they contribute to the overall lack of stability/freedom to operate.

This though process got kicked off for me while reading about the siege of Sarajevo in particular. Imagine  – you (a private org standing in as a citizen for this narrative) are in a city surrounded by artillery and snipers and you have to decide how best to keep getting water, which involves cross several streets through town. Some streets are vaguely safer than others, usually, but not necessarily.  You occasionally can see or have insight into the people on the hills, but not usually.  There are dedicated defenders around, but theyre not well positioned and lack the capacity to defend everyone all the time. Your resources are limited and your freedom to operate is constrained further over time as resources diminish. You can be hit at any time once you move from a standstill from your base/home (and even then, without change, you are at some risk).  You sort of make up criteria for decisions that help you feel safer (has anyone crossed that street recently? Were they shot at?) but aren’t really indicative of actual risk.

In this case, trying to decide how and when to get water as a risk based decision is almost a nonsensical proposition: You don’t control your environment, you have a lot of exposure, and you lack relevant information that would change your situation significantly (this isn’t the same as lacking data, just helpful data).

This scenario is substantially different from how we look at cybersecurity and infosec today: Individual defenders, with sufficient skill and competency, access to resources indefinitely and as needed, on a relatively level playing field, trying to prevent, manage, or mitigate individual events on their own.

Ultimately, right now, we’re asking a bunch of non-combatants (you know, most businesses) to have the capacity to effectively and sustainable participate in what is becoming a low level global conflict (inclusive of state to state, criminal, hacktivist, etc activity) while under siege.

This is a broken model and will never, ever get us where we want to be (for more reasons than I’ll lay out here).  We have to break the siege (thoughts on that being out of scope for the moment), which involves a level of strategic cooperation and unity that present culture, politics, business realities, and law do not allow.

(The Parasitic environment analogy is more specific to single-organizations, as it allows for specific targeting: )

Aside: Interestingly, though, from an aggressor standpoint, it might or *might not* look like either a siege or a parasitic environment – ie, aggressors acting individually and *without* coordination are contributing to creating a separate conflict type for defenders (Siege).

I’ve been known, now and again, to mouth off sarcastically that we don’t have any idea what “Cybersecurity” is, strategically – that we have no real concept of what “it” is.  So, as a preface to my upcoming talks, I’ve sketched out a very, very draft and incomplete framework off the top of my head that is, I think, STILL more complete than anything else out there. It’s done in terms of “Environments” that must be managed or that pose describable, discernible, solvable problem spaces that pertain to cybersecurity risk.  Note how different this looks than the NIST Framework, NERC CIP, SANS guidance, what you hear panels talk about, etc. Just remember, I have a lot to add here, which I’ll do after my upcoming talks have been given.


Conflict Environment

  1. Sieges & Unity (Defense problem of community siege-breaking, not incidents)
    1. Game Theory & International Relations
    2. Norms, Stabilization, and Confidence Building Measures
  2. Parasite Management
    1. Single Organization Value Control
    2. Competition for use of shared, not owned infrastructure
  3. Information vs Kinetic Warfare
    1. Long term abuse of misplaced cultural, political, and legal redlines

Technical Environment

  1. Complexity (exposure rising directly and infinitely with complexity)
  2. Competency (technical competency required by all, who cannot maintain)
  3. Security Express-ability (lower layers are approximating upper layer expressions)

Physical Environment 

  1. Geography & Power Delegation (Targets are Geography, cannot insert gov between industry and adversary)
  2. Geography & Proximity (Everyone is a Neighbor)

Single Organizational Environment

  1. Developing Sustainable Practices without requiring core Competency
  2. Decision Making Capacity Building
  3. Full System (Human) Threat Modeling
    1. Self Awareness
    2. Vulnerability/Exposure Identification & Management
    3. Exploitation Opportunity Identification & Management

Human Environment

  1. Stakeholder psychology requires targeted action to achieve desired behavior change
  2. Exceptional Distance between decisions, actions and risk limits involvement
  3. Ability to Process sufficient incoming knowledge tangential to core

National Environment

  1. Common Problem Space Consensus Development/Socialization
  2. Development and Engagement of Appropriate Regimes
  3. Stabilizing vs Developing managed Environments
  4. Business Value Production is inherently and completely tied to exposure creation/mgt, how does gov manage?

Market Environment

  1. Entrenched Industry is sucking needed resources away uselessly, needs derailment (fail, iterate, improve)
  2. Abstract, tenuous connection between market and risk

Leadership Environment 

  1. We Need Generals: Now Guys with Guns Espousing Tactical Requirements in Place of Strategies to Win (Win = Desired level of risk for desired investment over time)
  2. Formal Roles limiting Routing of Knowledge/Capability into available levers (ie, if you’re not selling something, you’re not participating)

Follow me on Twitter

My Art / Misc. Photo Stream