Oct 17 2013
One of the cool things we’ve found on TV since moving to the UK is QI XL. It’s a BBC show hosted by Stephen Fry where they take a rather comedic romp through a bunch of facts that may or may not have anything to do with one another. Last night’s show was about Killers and a term that was completely new to me came up, a unit of measure called the ‘micromort’. It’s basically a measurement equal to a one in a million chance of dying because of a specific event. Really, it’s a scientifically valid measurement of risk. And yes, our family has a strange idea of ‘cool’.
Why is the micromort important and relative to security? Because humans, and security professionals are included in that category, have a horrible sense of the the risks involved in any action. For example, you are 11 times more likely to die from a 1 mile bike ride, .22 micromorts, than you are from a shark attack, .02 micromorts. Yet the same people who fear sharks greatly but are willing to go on a bike ride on a daily basis. And many of those people smoke, which is a single micromort for each 1.4 cigarettes smoked. People suck at risk analysis.
So could we come up with a similar unit of measurement for the risk in a million of a single action leading to a breach? Someone needs to find a better name for it, but for the sake of argument, let’s call it a microbreach. Every day you go without patching a system inside your perimeter is worth a microbreach. Deploying a SQL server directly into the DMZ is 1000 microbreaches. And deploying any Windows system directly onto the Internet is 10 million microbreaches, because you know that it’ll be scanned and found by randomly scanning botnets within minutes, if not seconds.
The problem is that the actuarial tables that the micromort measurements are drawn from millions of daily events. People die every day, it’s an inevitability and we have a very black and white way of measuring when a person is dead. We can’t even really agree on what constitutes a breach in security at this point in time, we don’t have millions of events to draw our data from (I hope) and even if we do, we’re not reporting them in a way that could be used to create statistical data about the cause of these events.
Some day we might be able to define a microbreach and the cost of any action in scientific terms. There are small sections of the security community that argue endlessly about the term ‘risk’ and I have to believe they’re inching slowly towards a more accurate way to measure said risks. I don’t expect those arguments to be settled any time soon, and perhaps not even in my lifetime. So instead I’ll leave you with an entertaining video on the micromort to watch. Thanks to David Szpunar (@dszp on twitter) for pointing me to it.