@John - very happy to see that you’re eager to start.
Yes, it has been six days since my last posting. Actually, I felt that I had nothing more to add in this stage. I also wanted to talk to @kersing first, given his notion that my approach might alienate me from the community I want to work with. That’s a … er… risk I am not willing to take.
Well, I can at least provide an update about that conversation with @kersing. I called him a few days ago and we had a long, lively discussion about all this. Both Jac and I feel that RA is important and should be done, we also both agree that it is of crucial importance to choose the proper approach and make sure to get support from the community. We also discussed a number of possibilities, but I won’t go into detail yet, simply because I promised Jac to send him my notes of the conversation first. I would consider it rude to relay what we discussed without his nod.
Anyway - yes, you could start compiling a list. Or even lists. But not a list of risks - that’s quite impossible
Let me explain: risk can be defined as the sum of impact of a treath working on a weakness times the probabilty of occurance, in quasi-maths:
R=I(t→w)P
Given the above definition or risk it should now be clear that you simply can’t compile a “list of risks” unless you have at least a notion of:
- weaknesses
- threats
- how to determine impact
- how to determine probability
- the scope.
Scope matters most! Selecting the wrong scope can ruin any effort to control risk.
Why is that? Well, assuming that we aren’t capable of overseeing, let alone controlling the entire Universe, we need to limit ourselves to something we CAN oversee and control. That’s called “scope”. We might, for example, say we will limit ourselves to “the TTN network”. That at least would prevent us from having to do RA for the universe
But perhaps even that scope is to broad to achieve meaningful results: are we really able to control the entire network? (Hence my quest for a BOG). So, we may need to limit the scope further to say “the TTN backend” or “the TTN gateways”. Or maybe even further: maybe a special type of gateway? Unless we first agree on scope. we can’t even start.
“Sure I can, I’ll show you” you may exclaim. Go ahead! But I will have to be pedantic and point out that you merely ended up choosing your own scope, your own methodology of determining risk - and unless you communicate that with us, we won’t be able to help you. Hence, it is far more logical to discuss and establish scope first, then compile lists and work on a methodology, then determine the list of risks, then see if we can find controls for them. If we simply barge in and compile a belly-based list of “risks” that would result in chaos. Being an anarchist makes me dislike chaos most, so I won’t help you there.
if you chose the wrong scope you may end up with a list of weaknesses that aren’t even under our control. Please note the subtle but important difference between weakness and threat: you can not ever control threats, you merely can - often - control weaknesses.
So, what CAN we do then?
- determine scope (preferably something in “our” control)
- determine assets that are ‘in scope’ from there
- compile a list of threats
- compile a list of vulnerabilities of our assets
- figure out a methodology to weigh risk
- and THEN we may create a meaningful list of our assets and risk…
I’m sorry, folks, but you can’t go to the moon just by wishing you were there,.
But - good news! - we don’t have to start from scratch at all. A list of threats can be compiled easily, there are plenty of such lists available on-line and in various appendices of various standards and papers. You’ll find things like “storms”, “floods”, “fire”, “human error”, “illness”, “terrorist attacks” etc. on them.
Risk analysis methodologies are also broadly available and I’m very willing and able to suggest a methodology that I think can be used by a volunteer community.
So, if we want to set up a list - a list of vulnerabilities might be a good start, and actually that’s often done in my world. You may, if you like, delve into NIST SP800-30 to get a notion of the various approaches used (and its’s a free download, standards need to be purchased, alas).
But first - I’m sorry, but such is life - we need to establish scope.
Do I still make any sense to y’all folks?