Decision making models in Information Security

Security Management is about good decision making.

How security decisions are made in organisations is officially the domain of security governance, but decision making models have traditionally been discussed under security management. Hence, we will try to influence your decision on what decision model to use in this management section of our web site

The 17799 security standard promotes the use of the Plan, Do, Check, Act (PDCA) decision making model, and as a results most books on Information Security and Risk management do emphasise planning. Unfortunately, this decision model does de-emphasise the need to observe your security environment to understand what is going on. While 10 years ago most Unix system administrators responsible for system security knew exactly what was happening on their systems, nowadays most systems and security administrators have limited understanding of the bahaviour of their systems and users. Even more importantly, we found no longer any evidence of the existance of any feedback loops in the security of those organisations that we visited for our case studies.

PDCA is a perfect decision model if you want to stimulate a pro-active stance in information security. Being able to react to (potential) security incidents at both a tactical and a strategic level is, however, just as important. I started my career in information security with research in anomaly based Intrusion Detection Systems and have, therefore, long held the believe that without monitoring your security environment, there is no security. For instance, before some started promoting it as a pro-active strategy, the original Defense in Depth strategy was really a reactive strategy. The initial aim of Defensive in Depth is to create a defensive environment where you have time to react to a developing incident before major damage occurs. And, to be able to react in time, Defense in Depth needs you to monitor your environment for early warnings.

In an excellent paper by Prof. Grant from the Netherlands Defense Academy (see our bibliography), many of the decision models in literature are compared and evaluated for use in military Command and Control. That particular paper brought the Observe, Orient, Decide and Act (OODA) decision model to my attention. While initialy more used at the operational level, I am more interested in its use at the strategic level, and will discuss this model in more detail on a seperate OODA page. However, I would like to make it clear that what attracts me most in this model is its name. My experience is that these decision models are only used superficially in a business environment, so most of the shortcomings of this decision model as listed in Prof. Grants paper are not relevant here. What is important is that security managers always seem to be looking for shortcuts to simplify their management processes, and with Observe and Orientation in the title, as well as its emphasis on feedback loops, promoting this model will ensure that these aspects of decision making in Information Security will not be left out.