Last Updated: 2015-12-15 21:30:41 UTC
by Russ McRee (Version: 1)
"And now for something completely different." - Monty Python
Subtitle: Captain Obvious Applies Chaos Theory
This diary breaks a bit from our expected norms to discuss managing possible outcomes originating from a data breach and the resulting organization-wide SDL and security response process.
I’ll incorporate chaos theory, specifically the butterfly effect, to exemplify methods for security managers useful in reducing possible chaotic outcomes and increasing orderly, successful outcomes.
Our imaginary company discussed herein is Pathos, an international mental health-oriented software-as-a-service (SaaS) provider. :-)
The scenario begins with a data breach suffered by Pathos.
Limited Secure Development Lifecycle (SDL) practices have been utilized at Pathos and the service has just fallen victim to a damaging compromise. As such, management’s concern had risen significantly. Numerous recent headlines involving attacks against other health-oriented SaaS providers led to reactive brainstorming sessions involving executive leadership. Their fear is based on the premise that attackers will return, causing more damage.
The executive team then tasked the information security team with implementing the following requirements, applicable to the Pathos software development teams, and security operations, supported by a written policy:
1) All code pending release to the production service must be statically analyzed for code errors prior to release to the staging environment.
2) All applications pending deployment from the staging environment to the production environment must be dynamically scanned for web application flaws.
3) Implement a security incident management (IM) program to better respond when breaches occur.
When introducing new programs of this nature, particularly in a reactionary manner rather than as proactive steps, the possible outcomes (chaotic or orderly) that occur depend entirely on decisions made and actions taken by Pathos leadership.
Should Pathos management fail to provide clear and defined leadership as they introduce these new initiatives and fail to plan for possible responses from the affected teams, the resulting chaos could have lasting and profound organizational impact. Let’s explore some guidelines for avoiding that chaos.
Chaos theory and the Butterfly Effect
Chaos theory defines organizations and businesses as complex, dynamic, entities whose future performance cannot be decided simply by measuring past and present events and actions.
In a state of chaos, organizations behave in ways which are simultaneously both unpredictable (chaotic) and patterned (orderly). (i)
This premise can be further refined with an understanding of the butterfly effect. Coined by Edward Lorenz, the butterfly effect was first used to describe the chaotic nature of weather and a process with which to statistically model weather non-linearly. (ii)
More succinctly, the Butterfly Effect indicates that the slightest change in initial conditions can lead to extraordinarily different outcomes over time. Lorenz aptly entitled his 1972 talk on this phenomenon “Predictability: Does the Flap of a Butterfly’s Wings in Brazil set off a Tornado in Texas?”
The statement “the slightest change in initial conditions can lead to extraordinarily different outcomes over time” is the basis of what we’re exploring here.
The initiatives and possible outcomes
Consider that complex environments, such as our imaginary company Pathos (a dynamic environment with numerous interrelated teams), tend to encounter bifurcations, “a point of branching or forking into qualitatively new types of behavior." (iii) When amplified, these bifurcations can lead either to order or to chaos (iv). Thus, as Pathos introduces additional SDL-related requirements and a security incident management program after a data breach in their complex environment, over time, there will likely be issues. Seemingly minor variations in Pathos management’s approach can result in a bifurcation, thus leading the organization in a potentially less-than desirable direction.
As Pathos introduces these new initiatives there are two possible outcomes that depend directly on how Pathos management approaches the process.
The first possible outcome (chaotic) results from a lack of communication, transparency, and planning on Pathos management’s part, and leads to organizational disarray, continued insecure code and applications, reduced productivity, delayed releases, and ultimately a loss of revenue. The security incident management program is not well implemented and supported, largely a paper tiger, and individual teams conduct response activities in a silo without unifying approaches.
The second possible outcome (orderly), preceded by careful and thoughtful management planning coupled with a phased approach leads to a much more linear, predictable response from the Pathos development and operations teams, leading to improved code and application quality, increased revenue, and unified incident management.
The prospect of chaos or disorder can be controlled by reducing the number of responses available to involved parties concerning the proposed initiatives. By managing outcomes through well-developed initiatives, with clear implementation plans, it can be demonstrated that adoption of the Pathos SDL and IM initiatives will be more successful.
In this scenario a quick, reactive decision by leadership to implement the SDL and IM policies included no prior discussion with Pathos development and operations staff and no awareness campaign took place. The initiatives were simply implemented and immediately enforced by the staging and production deployment engineers as well as security operations analysts. The development teams were caught completely unaware when attempting to release their next scheduled efforts to staging and production. The forensics and PR teams, still dealing with the initial breach were not consulted regarding the incident management plan. The net result is a complete productivity freeze where all schedules and plans, as well as all future release dates, required new delayed timelines to allow for adherence to the new SDL. Additionally, what should become a unified incident management program becomes a number of redundant processes, resulting in varied findings and a disjointed message in the press.
This lack of planning on Pathos management’s part leads to more chaos with less controlled outcomes given all the likely responses. Policy and program implementation without a plan as outlined below in Orderly outcome allows for varied responses leading to chaotic outcomes.
Possible responses from the Pathos development and operations teams include:
1. Attempts to circumvent the policy
2. Reduced morale leading to reduced productivity and work quality
3. Flagrant non-compliance
4. Further reduced application security, counter to the policy’s intention, due to increased deliverable timeline pressure
5. Delayed product release due changes in timelines to accommodate policy
6. Disjointed, scattered and ineffective incident response processes
These five outcomes are mathematically modeled in Figure 1 below, exemplifying that failing to control outcomes through proper planning leads to increased organizational chaos.
In this scenario, although Pathos leadership sought to achieve quick and positive results from their SDL and IM policy and program initiatives, they took additional time to plan implementation. Their efforts included staff focus groups, a phased awareness campaign, and a countdown to implementation allowing development and operations teams to adjust their release and production cycles and timelines to allow for the newly required release gateways. Management transparency and open candor allowed the teams the opportunity to embrace the new approaches.
In so doing, the Pathos leadership team reduced the propensity for chaos, lessening the likelihood of dynamic or complex responses from development teams. More simply, good planning leads to better outcomes.
A probable response from the development teams under this scenario includes:
- Improved code and application security and quality
- Improved morale based on pride in an improved and enhance product driven by the additional policy-driven security checks
A probable response from security operations teams under this scenario includes:
- Unified response processes with a collaborative, cross-team approach that is well understood
- Public relations messages and consistency also improves with a favorable press response
The impact and likelihood of another data breach is reduced on both fronts.
Of benefit to Pathos in general is increased revenue as a result of timely releases and increased consumer confidence and satisfaction.
This outcome is mathematically modeled in Figure 2 below, exemplifying that controlling outcome through proper planning can reduce chaos.
Visualizing outcomes via Butterfly Effect modeling
Bifurcations, as described above, can be caused dependent on the Pathos management decision process, resulting in chaotic or orderly outcomes. The mathematics utilized by Edward Lorenz to describe what has become the Lorenz Model is complicated but you can utilize the likes a Lorenz Butterfly Java applet or R code to express visual representations of the conclusions established above.
The goal is to visually validate that the Pathos management decision process with regard to implementing the SDL and IM policies is the primary contributor to:
1) establishing the level of dependence on initial conditions
2) the direct effect those initial conditions have on randomness in outcomes over time.
Remember that the Butterfly Effect indicates that the slightest change in initial conditions can lead to extraordinarily different outcomes over time, a characteristic of chaos as defined by Lorenz.
As a quick precursor, keep in mind that the Lorenz Butterfly Java applet used to generate visualizations (Figures 1&2) relies on the fact that a mathematical function is a relation that uniquely associates members of one set with members of another set (v) and the derivative of a function represents an infinitesimal change in the function with respect to one of its variables. (vi)
Simplifying this precursor to relate specifically back to Pathos management decisions, we can arbitrarily define possible development team responses to the SDL policy as variable X.
X=5 represents possible development team responses based on Pathos management’s lack of planning as described in Chaotic outcome. Again, without the reasoned, gradual, accommodating approach to the introduction of the SDL policy, Pathos management creates a number of possible responses from the development teams (see Figure 1).
On the other hand, X=1 will represent development team responses based on the management policy implementation decision described in Orderly outcome. Specifically, 1 is appropriate as, given the orderly, transparent, and organized management approach to implementing their SDL policy, the development teams are most likely to simply comply, resulting in little variation over time. We can simply assume that a well-conceived and planned approach to SDL policy implementation by Pathos management limited the possible responses by Pathos development teams to one of acceptance and understanding (X=1) resulting in one outcome (see Figure 2).
In Figure 1, using one of the above mentioned Java applets for the Lorenz Model I first visualized X as 5. For each of the 5 mouse clicks (executed in precisely the same position to represent initial conditions) we see all “particles following each other very closely for a while, but as time goes on the small difference between the paths of the particles increases until they are following completely non-related paths" (vii) (chaotic outcome).
Figure 2 exemplifies the results of visualization when X=1, represented by one mouse click or particle (one initial condition).
In Figure 1, with more initial conditions representing more possible responses from development or operations teams, the various unrelated outcomes soon became clearly evident. Simply, this is indicative of the fact that increased variation in initial conditions leads to the propensity for chaos.
In Figure 2, with a single input (less response from development teams), the variations over time were nonexistent. This is indicative of the fact that reducing initial conditions prevents chaotic outcomes.
Contemplate initial conditions in the context of management decisions to better control outcomes and you have clear visual evidence of why strong leadership under these circumstances matters so much for stronger information security.
It is reasonable to assume that organizations, and their leadership, would always prefer orderly outcomes as a result of their prescribed changes. Taking the additional time to plan policy and program implementation, including staff in discussions and planning, utilizing a phased awareness campaign, and allowing a clearly defined roadmap prior to implementation, will lead to successful, less chaotic outcomes.
Allowing development and operations teams to adjust their release schedules to accommodate newly required checkpoints, helps ensure that they are more likely to comply with the initiatives and achieve the intended goals.
Security management transparency and candor allow teams the opportunity to embrace new approaches and thus reduce chaos. Ultimately, the transparent approach to security management allows for more successful outcomes regardless of the initiative and scenario.
"Transparency is another critical attribute of management 2.0. If trust is the bedrock of competitive advantage, and I think it is, then transparency is the foundation for building trust." (viii)
(ii) Lorenz, E. N. ”Deterministic Nonperiodic Flow.” J. Atmos. Sci. 20, 130-141, 1963
(iii) Barrow, J.D. (1988). The world within the world. Oxford: Clarendon Press.
(iv) Briggs, J., & Peat, F.D. (1989). Turbulent mirror: An illustrated guide to chaos theory and the science of wholeness. New York: Harper & Row.
(viii) Gary Hamel, 2010 HCL Global Meet, Management 2.0 presentation