Pouring over endless details of risks, regulations, taxonomies, and technologies can sometimes give us a narrow view of the world, so it seems worthwhile to take a minute to mark the 125th anniversary of the cataclysmic eruption of Krakatoa this week. For those of us that want to think big but can’t remember that far back, this week is also the 3rd anniversary of Hurricane Katrina’s devastating sweep across a wide stretch of the US Gulf Coast.

By now, I expect that most of you have read or are familiar with the 2007 book, The Black Swan, by Nassim Nicholas Taleb, which argues that these kinds of unpredictable, outlying occurrences are the ones that really shape businesses, countries, economies, and people. Taleb argues that although these “Black Swan” events are almost completely unforeseeable, we mistakenly try to explain the circumstances at the time and make predictions about similar events in the future.

In my ERM work with clients, and especially in the context of research I’ve been doing with my colleague Stephanie Balaouras on business continuity and resiliency, questions come up about how to plan for catastrophes... and they’re good questions. Were the CardSystems or TJX data breaches foreseeable? What about the Societe General debacle or the 2004 Indian Ocean tsunami? What’s next? Should these types of events be included in our risk assessments?

We’d like to get your opinion on these and other risks that may be on the very edge of the statistical tail. At what point do they belong in your risk register?

Of course, it’s possible to define mitigating controls for crises, disasters, or incidents without knowing for sure what they’re going to look like. That’s one of the hallmarks of a good crisis management plan. And that’s an important point, because trying to predict the next unforeseeable event can be a real challenge sometimes.

As we’re prone to do here at RMI, I’ve been thinking hard about security, risk and how organizations can become more effective.  We’ve been thinking very hard about metrics and measurement and governance and compliance and assurance and so on and so forth.  And one thing hit me funny today within that context, it’s the mention of the axiom “Security is a People Problem”.

In his article, “What can CISOs learn from the Societe Generale debacle” Khalid Kark writes:

Security is first and foremost a people problem:  Societe Generale probably had good set of security products and technologies in place, but all the security technology in the world won’t necessarily help if an employee is in a position to figure out the processes and has the ability to disable the alarms. It does drive home the point that the insider threat may not be the most popular form of attack, but it usually is the most damaging.

When most people use the phrase, they mean it in this context - it is an association Deming’s second obstacle; “Relying on technology to solve problems” with the practice of Risk Management.  Arthur of Emergent Chaos was kind enough to offer his opinion when I briefly chatted him about the subject.  When asked, “What do you think people mean they say ’security is a people problem’,  he replied:

Mostly, I think it means that people are inherently trusting and also lazy, so things like phishing and soc. engineering tend to work even on trained people.  It could also mean that security that doesnt’ take into account useability is doomed to fail if it’s going to make people jump through hoops.

SECURITY IS LOTS OF PROBLEMS

Now I think both quotes are correct.  And as I’ve thought about the subj. this AM, I’ve come back to the concept that any individual security “issue” is really related to some human actor (even a natural disaster as a cause impacts people and quality of service). But what does that mean for Risk Mangement?  If individual issues are at the whim of the individual actors involved, does that mean Risk Management is a “people problem”?  May I answer “Yes”, but with a caveat?

RISK MANAGEMENT IS AN ORGANIZATIONAL BEHAVIOR PROBLEM

So if the specific act of “secure” is mainly in the hands of people (in ability to attack and/or defend), then, in my mind,  Risk Management becomes an Organizational Behaviour problem.   An organization, though made up of people, almost always acts differently than the whim of any one member.   Let  me offer that IRM is an Org. Behaviour issue because:

1. The risk tolerance of an organization is (should be?) set by the board and by senior management (a group or groups).
2. This risk tolerance is expressed by Policy.  It is organizational communication from the group in 1 to individuals who are now all individually accountable in the same manner (they are treated as a group or organization).
3. The effectiveness of matching “security” to risk tolerance is a function of the security department, audit, external stakeholders like consultants or government actors, and senior management (in their willingness to allocate resources to an operational expense vs. some other “bucket”).  Again, groups (or organizations) of people working under the same premise.

In fact, if you read the Forrester blog post through the lense of Org. Behaviour, you’ll find that many of the lessons to be learned mentioned there aren’t so much people lessons as they are organizational lessons - because what enabled the security at Soc. Gen. was a break down not in technology, not in control, but in the absense of controls, and therefore is a Risk Management issue at it’s heart.

I say Soc. Gen. was a Risk Management issue because Sr. Mgmt. there should have been aware of the risk.  It’s not like this hasn’t happened before (in fact, I recently read a good breakdown of freuqency of such incidents from Protiviti in which they show that these sorts of things happen every 18 months or so).  So  either Sr. Mgmt. was aware of the risk and did not act upon it by changing the behaviour of the organization (my point two, above), or they were not aware of the risk - an ignorance that could only be the result of a non-chalant view of Operational Risk by Sr. Mgmt (point one).

AM I SPLITTING HAIRS?

If you accused me of being to particular here, I’d probably plea “guilty” (after all, people *do* make up organizations).   But if we’re going to actually apply fields of study to the problems in our industry, we can not  ignore the differences between affecting individual actors, and affecting the organization as a whole, and the key to understanding how to influence an organization is to understand Organizational Behaviour.

Here are ten lessons for us security folks to pass on to our executive teams.

·    Security is first and foremost a people problem: Societe Generale probably had good set of security products and technologies in place, but all the security technology in the world won't necessarily help if an employee is in a position to figure out the processes and has the ability to disable the alarms. It does drive home the point that the insider threat may not be the most popular form of attack, but it usually is the most damaging.

·    Monitor privileged access: I have had many conversations with CISOs who are reluctant to monitor their system administrators and privileged access users because they feel that there is a level of trust that exists between them and they may send of a wrong signal by monitoring them. Although a majority of people are trustworthy, trusting your privileged users is not a defense that will hold in any court. You have to design security systems based on the assumption that every user is a malicious user.

·    Policies without implementation are worse than not having policies. I’m sure Societe Generale had a policy of not sharing passwords and mechanisms to encrypt or mask the passwords. So how was Mr. Kerviel able to gain access to not one but multiple passwords? Having a policy creates a liability for the organization to ensure that it is implemented and gives the organization a false sense of security.

·    Everyone is not after the money. One perpetuating myth about hackers is that they are all after financial gain. This may or may not be true. In Societe Generale’s case French prosecutors announced that they'll pursue four charges, including breach of confidence, misrepresentation, and illegal use of logins. The company is not charging Kerviel of trying to steal company secrets or financial fraud. All he wanted was to be seen as an exceptional trader, an astute market player.

·    Policy, Implementation, and Audit should stay separate. We often forget that people who set the policy should not be the ones implementing or auditing it. Although all these groups work together to ensure the security of the organization, insider knowledge in one area should not be shared with other areas. This was clearly not considered when Kerviel moved from the auditing department to the department he audited (i.e., trading).

·    You don’t need to be a genius to “hack” into systems. Kerviel was not a security expert nor did he ever claim to be. He had extensive knowledge of the back office processes that enabled him to side step the controls in place. Jerome Kerviel lists Microsoft Office and Microsoft Visual Basic as his only IT-related skills. That is hardly the profile of a “hacker”.

·    Access restrictions must be implemented as people move within the organization. Access control processes are not implemented well in most organizations. Companies usually terminate access of employees who leave the company, but for people who change positions within a company, this is often the case. Hopefully Kerviel’s access privileges as he changed positions will be closely scrutinized as part of the investigation.

·    Awareness and training serves as the first line of defense. Awareness and training can help reduce a significant amount of risk by informing users of their responsibilities to follow policies and to report suspicious activity. Sadly, this is one area that many organizations ignore. I would be very surprised if there weren’t tell-tale signs of suspicious activity during this episode that a properly trained employee would have been able to spot.

·    Consistent monitoring triggers may be a bellwether of a bigger issue. Societe Generale had challenged Kerviel several times about risky operations, and each time he produced fictitious documents to justify himself. Eurex, a derivatives exchange, alerted Societe Generale in November 2007 about the positions taken by Jerome Kerviel. Not heeding these advance warnings and not understanding that they may have pointed to a much larger risk were clearly mistakes.

·    It could happen to the best of us. Societe Generale was a leader in derivatives and was considered by some to be one of the best risk managers in the world. The company seemed to understand a lot of elements of risk management really well, but still failed in a critically important area. There is often as assumption that things are more under control than they actually are. A recent Deloitte survey found that  46% of companies surveyed failed to have a formal security strategy in place. Still, 69% said they are "very confident" or "extremely confident" about their organization's effectiveness at tackling external security challenges.

Sadly, events such as these articulate the point much more effectively than a CISO saying that we should implement security. So we should take this opportunity to remind our executives of how we could be in similar situations if we don’t manage our information risks effectively.

Blogger: Bob Blakley

Yesterday Societe Generale, the second-biggest bank in France, announced that it had suffered almost 5 billion Euros in losses due to the activities of one of the bank's derivatives traders.

Societe Generale apologized for the losses, and explained a three-day delay in announcing the fraud publicly by saying that bank officials needed time to unwind as many of the fraudulent positions as possible in order to limit the bank¹s losses.

Although Societe Generale did not identify the trader responsible for the fraud in their initial communications, he has subsequently been identified as one Jerome Kerviel.

Societe Generale's press release regarding the incident can be found here:
http://www.telegraph.co.uk/money/graphics/2008/01/24/socgen.pdf.

The details of the fraud are not yet completely clear, and uninformed speculation is not likely to be helpful.  But the first paragraph of the bank¹s press release deserves comment.

Societe Generale begins by saying this: "Societe Generale Group (the "Group") has uncovered a fraud, exceptional in its size and nature: one trader, responsible for plain vanilla futures hedging on European equity market indices, had taken massive fraudulent directional positions in 2007 and 2008 beyond his limited authority."

Three things about this sentence are worrying.  First, the fraud is described as "exceptional in size and nature".   The good ones always are exceptional in size and nature.  Common frauds aren¹t usually hard to prevent after you¹ve seen a lot of them; the reason you pay a risk manager is to prevent the exceptional frauds.

Second, the bank describes Kerviel¹s job as "plain vanilla futures hedging." The worry here is that the bank¹s risk managers think futures hedging risks not worth worrying about because they¹re just "plain vanilla."

The third worrying thing is the last clause: "one trader... had taken massive fraudulent directional positions... beyond his limited authority." Clearly his authority was NOT limited; the risk management and governance mechanisms of the bank apparently failed to prevent Kerviel from exceeding his authority, and they also apparently failed to detect his actions in time to limit the damage.

Societe Generale goes on to say this in the last half of the first paragraph: "Aided by his in-depth knowledge of the control procedures, resulting from his former employment in the middle-office, he managed to conceal these positions through a scheme of elaborate fictitious transactions."

The governance and risk management lessons are the two usual ones:

1. The fox is a dangerous guard for the henhouse.  It may be safe to move traders into the design of risk-management systems; it is probably not a great idea to move the risk management personnel onto the trading desk.

2. The most dangerous assumption in the security business is the assumption that there are good guys. The risk management system MUST be designed to be secure even against attacks by insiders who have developed and operated it.

The only way to design a system to be secure against these insider attacks is to have strong attestation, transaction tracking, dual control, and supervision features - in other words, to ensure that activities are carried out in public and reviewed in a timely way.

Societe Generale appears to acknowledge these lessons later in the press release, when the bank notes that "The individuals in charge of his [Kerviel's - ed.] supervision will leave the Group."  Firing Kerviel's bosses will not fix the problem; only improving the bank¹s governance will prevent future frauds.

Blogger: Bob Blakley

Yesterday Societe Generale, the second-biggest bank in France, announced that it had suffered almost 5 billion Euros in losses due to the activities of one of the bank's derivatives traders.

Societe Generale apologized for the losses, and explained a three-day delay in announcing the fraud publicly by saying that bank officials needed time to unwind as many of the fraudulent positions as possible in order to limit the bank??s losses.

Although Societe Generale did not identify the trader responsible for the fraud in their initial communications, he has subsequently been identified as one Jerome Kerviel.

Societe Generale's press release regarding the incident can be found here:
http://www.telegraph.co.uk/money/graphics/2008/01/24/socgen.pdf.

The details of the fraud are not yet completely clear, and uninformed speculation is not likely to be helpful.  But the first paragraph of the bank??s press release deserves comment.

Societe Generale begins by saying this: "Societe Generale Group (the "Group") has uncovered a fraud, exceptional in its size and nature: one trader, responsible for plain vanilla futures hedging on European equity market indices, had taken massive fraudulent directional positions in 2007 and 2008 beyond his limited authority."

Three things about this sentence are worrying.  First, the fraud is described as "exceptional in size and nature".   The good ones always are exceptional in size and nature.  Common frauds aren??t usually hard to prevent after you??ve seen a lot of them; the reason you pay a risk manager is to prevent the exceptional frauds.

Second, the bank describes Kerviel??s job as "plain vanilla futures hedging." The worry here is that the bank??s risk managers think futures hedging risks not worth worrying about because they??re just "plain vanilla."

The third worrying thing is the last clause: "one trader... had taken massive fraudulent directional positions... beyond his limited authority." Clearly his authority was NOT limited; the risk management and governance mechanisms of the bank apparently failed to prevent Kerviel from exceeding his authority, and they also apparently failed to detect his actions in time to limit the damage.

Societe Generale goes on to say this in the last half of the first paragraph: "Aided by his in-depth knowledge of the control procedures, resulting from his former employment in the middle-office, he managed to conceal these positions through a scheme of elaborate fictitious transactions."

The governance and risk management lessons are the two usual ones:

1. The fox is a dangerous guard for the henhouse.  It may be safe to move traders into the design of risk-management systems; it is probably not a great idea to move the risk management personnel onto the trading desk.

2. The most dangerous assumption in the security business is the assumption that there are good guys. The risk management system MUST be designed to be secure even against attacks by insiders who have developed and operated it.

The only way to design a system to be secure against these insider attacks is to have strong attestation, transaction tracking, dual control, and supervision features - in other words, to ensure that activities are carried out in public and reviewed in a timely way.

Societe Generale appears to acknowledge these lessons later in the press release, when the bank notes that "The individuals in charge of his [Kerviel's - ed.] supervision will leave the Group."  Firing Kerviel's bosses will not fix the problem; only improving the bank??s governance will prevent future frauds.