The myth of the ICT platform risk assessment
Some background on this story: I took a course in IT security rhetorics with professor Stewart Kowalski back in 2016 as a part of my Ph.D training. In the course, we were tasked with writing a Halloween cybersecurity horror story. This essay is written in oral style and I have a bit of fun with my prior experiences in cyber risk management and the security culture in general. Enjoy!
This is the true version of a true story that took place on the other side of Mjøsa, according to many; the right side. But as you will realize after this story, maybe we are just as good on this side. It was a dark autumn day, in the lord’s year 2013. The temperature had already dropped to minus 20, and it stayed that way until May.
I was working in Norway’s largest and meanest health conglomerate, which administers all the money for the hospitals in the south-east… This is were all the cold-blooded, ruthless and sadistic doctors end up, those who no longer want to treat patients, but instead needs to satisfy their thirst for power and blood.
I was in my 29th year of youth at the time. The information security team consisted of two people, me and my boss, let’s call her Anne. We were part of a larger unit for eHealth which governed, aided, and assisted projects both at regional and the local level. Our unit consisted of about 20 people, the average age was … imagine the old vampire councils in movies, yes, ancient, I was by far the youngest. And we were being led by this business class financial vampire, let us call him Thomas the Wolf. In the Wolf’s mind, there existed only three things: career, money, and power. But I digress, more on the Wolf later. Back on point, my information security unit was organized on top of a larger security organization. This organization included security personnel from all the hospitals, about 15 in total, and the chief infosec officer from the IT supplier, Sick house partner. In one of the largest hospitals in the country capital, loomed a large evil witch. She liked to eat your privacy for breakfast. However, this story is not about her. This story is about the risk assessment that disappeared.
As many of you may or may not know, we use risk assessment to make decisions. For example, by contemplating vital questions such as “Should I jump?”, “Are there enough women watching?”, “Are they pretty?”, and “Will I harm myself?” “What is the likelihood of harming myself?” “And will I get all the women if I succeed?”
Three years before this dark autumn day in 2013, in the Gondor year of the dragon, there had been ordered a risk assessment. Who had placed the order? We do not know.
But now, in 2013, in the Dothraki year of the conflict, the results had finally emerged. Where it came from, we cannot say. However, there were rumours that the risk assessors lived in trees and had sweat that could be used to clean precious metals. Others claimed that the risk assessors gave birth to Chuck Norris and Steven Seagal. All we know is that after three long years, the dreaded information, communication and technology risk assessment for the southeastern region health sector came to be. Just like a true masterplan, all had contributed pieces of information to the document. Still, honestly, no one knew the whole picture. People claimed it to be higher powers working through intelligent design, but I personally, do not know what to believe. All that matters was that we had one risk assessment to govern future risk assessments. One risk assessment to steer security work. One risk assessment to rule them all.
There was only one problem; the risk assessment results were so sensitive, that no one could read the document without becoming permanently blind, sterile, and narcoleptic. So, after burning through the eyesight and vitality of multiple Oslo consultants. A side note: The thing about Oslo consultants, you know they grow on trees?
Anyway, after a long, dark and tedious process, a spoken summary of the results was synthesized, first in blind text, then converted into binary to protect the readers. Before, finally, a powerpoint format was produced such that it could be communicated. Though, for the sake of the reproductive abilities of the audience, I shall not recite the content of this dreadful document, which I could not fully comprehend anyway.
Then came the day when the risk assessment results were going to be presented to our eHealth group…
In our monthly meeting, all the ancients gathered in a circle of knowledge and wisdom. Imagine Stonehenge in its prime, with the bonfire in the middle. Not like that, but close, just exchange the bonfire with the projector. We were gathered on this dark rainy day, in this murky room. The walls were illuminated with the waves of light from the projector — the eHealth group seated in a horseshoe formation. From which the Wolf gets up, goes to step into the middle of the horseshoe. And, with his ancient powers of bullshitology granted in him by the business schools of France, he declares the palaver opened. The Wolf introduces the content of the palaver; First, he, himself, would recite the ancient prophecies of economics, recited through a reading of the stars and the annual budget. Second, the high priest from the church of enterprise architecture would read us a passage from the TOGAF bible. Third, the oracles of project management would shower us with their PRINCE2 predictions. Then, at last, Anne would introduce the ICT platform risk assessment. Thus, we went through the rituals called economics and project management while we waited to reveal the results.
As the chanting died down and drums stopped beating, it was InfoSec’s turn to partake in the ritual of displaying results. Armed with the mightiest weapons known to InfoSec people: The triplet of Fear, Uncertainty, and Doubt. In short, FUD. Anne went into the middle of the horseshoe, arms folded, western stance. As she put the USB stick into the computer, the light flicked in the room, and the temperature immediately dropped 30 degrees (celsius, not Fahrenheit). She flicked the first slide onto the screen, it read “ICT Platform Risk Assessment”, the room went into complete silence. We could hear the dying roar of fly being eaten by a caterpillar in the back of the room.
Next slide, “Risk Area 1 — Inadequate security architecture”… as Anne recited the two most pressing risks, I could see people in the room instantly ageing 10 years.
Next slide, “Risk Area 2 — Operational environment”, three risks; it was just too much to handle for one of the older members, his mind went haywire and he started chanting verses from the ISO27001 standard in the back of the room.
Then the final area, “Risk Area 3 — Lack of Risk Management”. Which was, known only to the people attending the palaver, but I am sharing this with you now, dear reader, in confidence. When they discovered it, it caused the Icelandic volcano, Eyjafjallajökull, to erupt.
Completely shellshocked, the audience were huddling together, in terror of what they knew would come next: The estimations of probability and consequence. Before Anne, could flip to the next slide, a voice whispered in terror: “Probability is not an appropriate measurement of information security risk!” Anne replied “Your logic is flawed because, without probability, all you have is an assessment of consequence, which is not risk.”
At last then, came the much-feared risk score. 4 risks within the unacceptable area… It was just too much! The proposed treatments were just not good enough! The cost-benefit analysis was flawed! The risks were too severe! The sun illuminated too much!
At that point, The Wolf stood up and shut down the projector. “Thou shall not speak to anyone about what thee have observed here today!” he proclaimed. He takes Anne out of the meeting room, and tells her that what she had presented here was not suited for such an old and fragile audience. It would have been best to have told him this in a one-to-one meeting. He woed to never present these results to upper management, and that he shall never risk his neck for information security people ever again. Thus, he actively worked against the information security unit ever since, and, last I heard, he was trying to outsource all of our hospital systems to the US, Hungary, and India.
And the ICT platform risk assessment… well… there were whispers that the risk assessment was then stored into the deepest tray of the largest, oldest, and darkest oaken desk located in the most remote cellar at sick house partner. Some say it was first AES encrypted with a 256 millon bit key, the cypher text broken into 211 pieces, one piece stored with each of the living catholic cardinals. The cipher key, however, is rumored to be written and taped to the bottom of the Mars Curiosity Rover before launch. And, thus, the ICT risk assessment was lost to the ages, never to be seen again.
“Risk assessment!” said I, “thing of evil! — Prophet still, if bird or devil! -Whether risk Remediation sent, or whether remediation tossed thee here ashore,
Desolate yet all undaunted, in this digital land enchanted-
On this home by Horror haunted- tell me truly, I implore-
Is there- is there information security in Southeast?- tell me- tell me, I implore!”
Quoth the Wolf, “Nevermore.”
