• Embed Doc
  • Copy Link
  • Readcast
  • Collections
  • CommentGo Back
Download
 
Information Waterfare (IW): a "New" Hazard, OldSyndromes, and the Look of a Risk and Crisis Manager
by Cesar and Franco Oboni, Oboni, Riskope Associates Inc.www.riskope.com
Due to recent military and commercial conflicts' paradigm shift, the term Information Warfare (IW)is and will increasingly become the focal point of the Risk and Crisis Management (RM-CM)endeavors of any enterprise, from local companies up to country sized and global organizations.
INTRODUCTION
Information Warfare (IW) is more and more heavily discussed in the news during or in theaftermath of conflicts (2008 Georgia invasion, for examplehttp://tinyurl.com/08-Georgia-inv) andreferences to IW abound in various civilian and/or military publications (GAO, 2001a; GAO, 2001b;GAO, 2001c). In the meantime, voices raise from various countries (Birnbaum, 2005; Vernez, 2009)claiming that "Information fighters become an increasingly common phenomenon" and thereforenew control should be embraced (Lesser et al., 1999; Thuraisingham, 2003).This "new" awareness is further confirmed by NATO & the Pentagon stating there is urgent need totackle cyber attacks from organized national armies or rogue hackers acting on their own initiative,or on behalf of (terror) partisan groups ( http://tinyurl.com/07-nato-cyberAtt; http://tinyurl.com/pentagone-cyberwar-is-now).As a final confirmation, if at all needed, of the seriousness of the concerns, a new ISO code came tofill the void (ISO/IEC 27001, 2005) in this realm.The aim of this paper is to show how a transparent Risk and Crisis Management (RM-CM)approach can help organizations of any size and scope to avoid wasting money in costly andineffective mitigations, by avoiding well know behavioral syndromes which we will summarize inthe next sessions.
INFORMATION WARFARE IS A HAZARD LIKE ANOTHER
IW is a hazard like earthquakes, fires, landmines etc., no more, no less, and should be treatedaccordingly (Oboni & Oboni, 2007). Even terrorism is a hazard like another, and should be treatedin a logical, risk-based way ( Oboni & Oboni, 2004a; Oboni & Oboni, 2004b; Oboni & Oboni,2004c).Instead, and very unfortunately lots of "mystique writings" are produced in the IW risk managementfield, probably because its "new, thus mysterious" nature, and the aura of secrecy surrounding it,due to its "covert operations" flavour.For example, the generally spread idea that the IW threat is unquantifiable, is in itself absurd at bestand is probably the root cause of the inertia displayed by many in endorsing this cause: why wouldone invest IW mitigative funds if the hazard is, in the saying of the specialists, unquantifiable?Incidentally, Peter Drucker, in a different field of management, beautifully summarized this type of reaction when he claimed “If you can't measure it, you can't manage it”.Hazards are generally declared unquantifiable by people that may know all the details of thehazards, but do not understand Risk and Crisis Management. This can be exemplified by the fierceresistance encountered by the authors when, under UNDP mandate to create a risk management toolfor unexploded ordnance in Laos and other mined countries (GICHD, 2005; GICHD, 2007http://tinyurl.com/07-GICHD), demining expert stated that "it was impossible" to encode "all theexperience and the flair resulting from a life spent in the field". To the big surprise of the same
 
experts the RM model was proven by a field test to be way more accurate than their "experience-based" approach (Oboni & Oboni, 2009).Another example is constituted by people stating that as "statistics are missing", it is impossible toevaluate hazards and risks: well, if that was true, how could we be performing RA on projects thatare still on paper and, moreover, be quite successful at managing future issues? Techniques to copewith lack of statistics do exist, but have to be applied by specialists of Risk Management, notspecialists of the hazards who, tragically, generally think only in terms of the past, not of the future,i.e. in terms of biased and censored statistics ("clean" statistics are very rare, in any field).The conclusion is that a Risk Manager is required to help an organization understanding what risksare generated by all the potential hazards surrounding it (natural, financial, man-made, information,environmental, etc.), including IW. Think about this:
When you go for your yearly checkup you are going to your General Practitioner, not to aSpecialist. Indeed as the Specialist is very capable his domain, he will most likely focus onwhat he knows best and therefore he may miss some more obvious problems.
When you need a vaccine you will neither talk to the biologist who did the research in thedomain, (he will most likely not know what the vaccine will do to your body) nor to aPharmaceutical Manufacturer (who will have a biased point of view, as they just love to selltheir products), but rather to your Family Doctor, who knows you well, and should have aholistic approach to your health.Consider the Risk Manager as the Family Doctor, a highly qualified person who is neutral,unbiased, has a holistic approach and cares about your health. After a thorough check-up, i.e. oncethe various hazards are identified and characterized (magnitude, frequency, probability), the Risk Manager will help evaluating potential consequences of a hit on the system and will finally deliver arisk estimation in a clear and transparent way. Then the Risk Manager will help the organization todefine their tolerability threshold; techniques exists now to facilitate this endeavour and producemeaningful curves (Oboni & Oboni, 2007).The risks will then be compared to the organization's own tolerability threshold, and from there aranking based on the intolerable part of each scenario will be produced. Such a list will look verydifferent from the "usual" ranked list of risks (a sort of top-ten of potential catastrophes) which canactually be shown to be dangerously misleading in terms of prioritization and decision making.At this point the Risk Manager will have concluded his job, by delivering a clear and sustainableroad-map for the risk and crises mitigation of the organization, which in turn will contribute toenhancing the chances of success and survivability of the said organization.
THE RISK MANAGEMENT RELATED SYNDROMES
IW being a hazard (like another), has to be treated transparently (which does not excludesecrecy/confidentiality), in order to avoid various well known organizational risk-related moneywasting syndromes which we will summarize in three points:
The "specialist syndrome"
: this syndrome leads hazard specialists, i.e. in this case IW hazardspecialist (military, IT, politologist, etc.) to believe they understand how to evaluate its risks.
The "denial syndrome"
: This syndrome is exemplified by the classic "it will not happen tome: I am too large, too small, it can only happen to others etc."
 
The "technology fix-it-all syndrome"
: This syndrome leads to the classic excesses driven byharware vendors and other biased parties who want to erase aspects of the hazards, but miss thetrue nature of the risks. History is full of unseizable castles who were seized in a day, startingfrom Troy on; unsinkable vessels, who sank miserably; invincible armies who starved or frozeto death too far away from a logistic base (Russian campaign(s) etc.). Furthermore, examplesabound of laws and decrees aimed at solving one situation, then backfiring on another; parkingplanes close together to avoid "local sabotage" in Pearl Harbor, only to offer an easy pray to theImperial Air Force, etc.
A TRANSPARENT TREATMENT OF IW RISKS
In Information Security (IS), a risk "R" is typically written as the combination of an asset, thethreats to the asset and the vulnerability that can be exploited by the threats to impact that asset.This is a definition of R which is compliant to the definition for any other hazard from landslides tofires, chemical accidents etc. An example would be: Our desktop computers (Asset or Target) can becompromised by malware (Threat or Hazard) entering the environment as an email attachment(Vulnerability). Thus R is assessed as a function of three variables:1. the probability that there is a threat2. the probability that there are any vulnerabilities3. the potential impact to the business (also called Cost of Consequences, "C").The two probabilities are sometimes combined and are also known as likelihood (probability) "p" of a hit of the Hazard following a given scenario.The same exact treatment can be developed for IW, or any other risk, as a matter of fact.
Scenario
: a "group of interest" wants to destroy your business by an intoxication campaign relatedto your production in China.
Risk Evaluation
:1. There is probability that such a group exist, based, among others, on your type of businessand your presence on the market(s), etc.;2. there is a probability they will select the China production as the most vulnerable part of your business;3. the potential impact of such a campaing could cost you x% market share in Europe for nyears, y% market share in the US for m years etc.You will note that the "enemy" has not been explicitly introduced in this discussion. In IW the"enemy" will most likely be "invisible", but belong to a certain type (Parker et al., 2004). Theknowledge of the "enemy" type will help in determining the nature and probability of a hit and theresulting consequences. In a study (Riskope International, 2005) the authors resolved to use the"aim" of the IW campaign as a discriminant.It is important to note that this apparently simple formulation of risk, actually hides numerousdifficulties, insofar neither the probability evaluation nor the cost of consequences are easy toderive. Many attempts have been made in the literature to further detail the definition of risk, butnone has achieved a better definition, often ending up with mistakes and biases (for exampleresulting in double counting). As we will see below, it is well worth overcoming these difficultiesand enter the world of rational risk management.In the example above one can say: The risk R of the scenario "Our business hit by a campaign
of 00

Leave a Comment

You must be to leave a comment.
Submit
Characters: ...
You must be to leave a comment.
Submit
Characters: ...