This is something I’m often asked about. The literal answer is simple, but not terribly helpful: it’s the process of providing assurance that an organisation’s digital assets are secure from threats.
So what is “Assurance”?
I tend to describe it thus:
“Assurance is the difference between thinking you know something, and actually knowing it – without ambiguity, and with supporting evidence”
— Me, often
Let’s take a small diversion to explore Assurance, and then we’ll circle back to Cyber Assurance.
Entr’acte Part 1: Ig Nobel & Supercentenarians
As I was reading my way through the 2024 Ig Nobel awards this year, I was struck by one paper in particular which has significant bearing upon assurance. The title of the paper is “Supercentenarian and remarkable age records exhibit patterns indicative of clerical errors and pension fraud”.
A centenarian is someone who lives past the age of 100 years. A supercentenarian is someone who lives past the age of 110 years. A semisupercentenarian is someone who lives past the age of 105 years.
“Proposed drivers of remarkable longevity include high vegetable intake, strong social connections, and genetic markers. Here, we reveal new predictors of remarkable longevity and ‘supercentenarian’ status. In the United States, supercentenarian status is predicted by the absence of vital registration. The
state-specific introduction of birth certificates is associated with a 69-82% fall in the number of supercentenarian records. In Italy, England, and France, which have more uniform vital registration, remarkable longevity is instead predicted by poverty, low per capita incomes, shorter life expectancy, higher crime rates, worse health, higher deprivation, fewer 90+ year olds, and residence in remote, overseas, and colonial territories. In England and France, higher old-age poverty rates alone predict more than half of the regional variation in attaining a remarkable age.”
Vital registration is basically mainly covered by the functions of the Register Offices in the UK: “Hatchings, Matchings, and Despatchings” also occasionally known as Births, Marriages, and Deaths.
People are complex. And it turns out that the easier it is to claim to be older than one really is, the more people actually do it. Quel surprise!
A mere 18% of validated supercentenarians have a birth certificate, falling to 0% in the USA. Wow.
Supercentenarian birth dates are surprisingly concentrated on days-of-the-month divisible by five. Can you suggest why?
Entr’acte Part 2: Frequency Distribution in Random Data
When you take data that should be random, and plot frequency charts from it, made up (artificial) data often stands out because unless an actual random number generator (RNG) is used, humans tend to pick certain numbers more often: ones ending in 0 or 5, for example.
This analysis was deployed with devastating effect against results for one of the Zimbabwean elections some years ago. Taking the results from all of the different polling stations, and plotting just the last digit of each candidate’s votes from each polling station into a frequency chart showed huge spikes at 0 and 5. A set of honest election results would give a flat chart with enough data, and a nearly flat chart even with less data.
Further, plotting the last two digits into a frequency chart showed significant spikes at 00, 11, 22, 33, 44, 55, 66, 77, 88, 99. Humans are really bad at making up numbers which are supposed to be random! The election results were clearly made up, the election was clearly corrupt. Really nifty analysis, but anyone faking election results in future will probably use a RNG. Unless they’re really stupid, that is.
So, returning to the birth dates, there are indicators that many of these are fabricated rather than real.
The most interesting indicator of high numbers of centenarians is that they occur in areas with fewer 90+ year olds. Does this pass the “Smell Test”? I think not. Whilst evidence is important in providing assurance, things which feel wrong and fail the smell test are generally indicators of the opposite.
Some of these areas of high numbers of centenarians correspond to regions with low incomes, low literacy, high crime rate and short life expectancy relative to their national average. Hmmm!
This paper, as a whole, is fascinating reading with some insightful analysis. And quite long (over 80 pages). But just these snippets above tell us a lot. If we really want to know about how many people make it above 100 years of age, and to what ages they actually live, we need assurance of the birth dates of the people involved. Without assurance, to a chosen level of certainty, we cannot include individuals’ data in the assured dataset. This does not mean that the excluded ones are liars, or deliberately misleading us. There are record errors as well as undocumented births in the mix. But if we stick to just the assured data, then we have something concrete with which to work.
Back to Cyber Assurance
So when you’re told that all of the servers in a system are fully patched, that all the software is up-to-date and supported, that the firewall rules / ACLs allow on the necesssary traffic and so on, how do you know this is true? Well, you need an independent ITHC (IT Health Check) – preferably carried out under one of the recognised schemes – and you need evidence that any issues found are fully addressed. It isn’t that people are necessarily trying to mislead you, but people are complex, people get stressed, people make mistakes.
“Doveryay, no proveryay” : “Trust, But Verify”
An old Russian saying, co-opted by US President Ronald Reagan in connection with nuclear arms limitation treaties. You take at face value the assertions made, but then you verify them. This is assurance.
This approach lets you test the assertions made about a system, lets you sort truth from illusion, lets you clear away the smoke & mirrors, and let you get an assured view of the state of the system.
Of course, it’s not quite a simple as this. For real systems, one has to worry about people (clearances/vetting levels, logging & auditing, processes etc), physical security, and other elements too. But the principle is the same: check, and gather evidence; do not assume – know for sure.
AI Transparency Statement
Gânduri Eclectice - Eclectic Thoughts 