Can you mathematically model infosec?

If you want something else to toss into the pot for evaluating the security posture of systems, check out NIST SP800-30. The methodology described closely matches Noid's system, and is one of the bases on which I model my assessments.

Thanks for the link... hours of happy reading. I tend to use a methodology based on a stripped down version of 7799 as many clients (wrongly IMO) see the full process as beyond their requirements and/or pockets.

I'd be curious to see some of your modeling results, care to post?

Can do. Although I want to refine it a little first and work on some of the inter-relationships.

You can mathematically model anything, including infosec.

The strategy for building models from decision matrices and cost/benefits assessments is very low tech though. Look into actuarial algorithms, for example. Your calculated risk is a function of defined assets, their value to *others* and the vulnerabilities those assets are exposed to during the life of the operation (even if the entity is an NFP) etc. The reason I say "value to others" is that it's not uncommon for the uninitiated to ignore the value of, say, an open relay on their mail server to an illicit spammer. They might care if they experience a loss of email service if the server crashes; so they'll protect themselves with a disaster recovery plan, but never think about whether they might suffer a loss of email service because the presence of an open relay on their mail server causes them to get blackholed...

The biggest challenge in infosec is "educating the stakeholders". There are painfully stupid people in positions of power and authority. You can't just ignore their stupidity and ignorance, they have to sign the authorization to pay you to fix their mess. The only option is to educate and that means a battle of politics, ego and all kinds of other socio-economic factors that turn the mind towards ultra-violence.

Anyway, actuarial algorithms would provide appropriate maths for modeling infosec. The process of defining the factors, however, could turn out to be an extremely subjective exercise. There's a point at which the cost of decomposition of a system exceeds any possible value that can be derived from the exercise. That's when you'll want to have some skill and experience in your back pocket, oh, and some common sense. I'll be looking forward to hearing more about your research.

7d5, I also would be interested in the results of your research. As I mulled over this whole thread the past several days a couple of questions came to mind:

Can your Infosec/CompSec list of related risk variables be genericized to apply across many LOB's, or if one were to employ your model, would it require one define their own list?

How do you intend on modeling the values for changes that impact the "stable system state" (from your later post you mentioned changing one or more variables to determine risk/mitigating control effectiveness). Have you decided to define a weight table to quantify it, or will you use qualifiable values?

Have you collected any historical impact data to incorporate into your "likelyhood" (aka, ALE) variable? My experience has been that many companies do not keep historical data regarding security incidences, thus, do not have base data from which to derive realistic ALEs. /me ponders how to compensate for this.

Thanks for a great thread!

Oh! I did not wish to seem presumptuous, but since AlexRogan gave you a link, I humbly submit one as well.

http://www.nr.no/~abie/RiskAnalysis.htm

Lots of tasty links there for the risk assessor. :-)

Much success in your research!