Wednesday, June 8, 2011

Focus on the situation not the control types

We all know the three security control types: preventive, detective, corrective. When you are analyzing how to mitigate a risk you typically think about these three control types.

I find it more inutiative to focus on the stage of the event: pre-event, event, post-event. This way of addressing the problem creates context and leads faster to the identification of suitable controls.

Wikipedia maps the control types to the event stages like this:
  • Before the event, preventive controls are intended to prevent an incident from occurring e.g. by locking out unauthorized intruders;

  • During the event, detective controls are intended to identify and characterize an incident in progress e.g. by sounding the intruder alarm and alerting the security guards or police;

  • After the event, corrective controls are intended to limit the extent of any damage caused by the incident e.g. by recovering the organization to normal working status as efficiently as possible.

  • The only problem I have with that is the mapping of "During event, detective controls". When an event is occurring your only option of action is not just detective controls, you could also have additional "preventive" controls for example a worm is spreading in your network (event) and you are shaping your network traffic to slow it down or prevent it from spreading further. I suppose one could argue that you are preventing it from creating a new event, but that would be looking at the event as a series of isolated incidents which I believe would be countrproductive to looking it as one single event.

    This approach has been known in the injury prevention field as the Haddon Matrix, which basically addresses the three stages but investigates them through different factors.

    Interesting are also the possible ways to react in the three stages (reproduced below from Wikipedia), which is easily applicable to Information Security problems if you replace "agent" with "threat agent" and "host" with "asset".

    1. Prevent the existence of the agent.
    2. Prevent the release of the agent.
    3. Separate the agent from the host.
    4. Provide protection for the host.


    1. Minimize the amount of agent present.
    2. Control the pattern of release of the agent to minimize damage.
    3. Control the interaction between the agent and host to minimize damage.
    4. Increase the resilience of the host.


    1. Provide a rapid treatment response for host.
    2. Provide treatment and rehabilitation for the host.
    If anyone has some good ideas how to apply the Haddon Matrix to information security and can suggest some factors to use, please share.