- O-ISM3
-
Articles
- Ten ways ISMS fail
- How can you Measure how Secret a Secret is?
- What is the Maturity of your ISMS?
- Risk, Investment and Maturity
- Compliance vs Continuous Improvement
- A primer in Metrics driven Process Management
- Process Management with Security Metrics
- Measuring Security
- Beyond Authentication, Authorization and Accounting
- Return On Security Investment
- Standards, standards, standards, Are they any good?
-
by Vicente Aceituno Canal
- Slideshare
- Youtube
- Youtube (Spanish)
- Contact
-
Foundations
- Ask Smart Questions to Set Security Service Levels
- Can you pass the O-ISM3 Test?
- The CIA triad is not helping you as much as you think
- Advanced Classification of Information
- Security Foundations Series: Secrecy
- Security Foundations Series: Privacy
- Security Foundations Series: Availability
- Security Foundations Series: Expiration
- Security Foundations Series: Retention
- Security Foundations Series: Quality
- Security Foundations Series: Compliance
- Security Foundations Series: Technical Objectives
- Security Foundations Series: Intellectual Property you Own
- Security Foundations Series: Intellectual Property you Use
- What is an Operational, Positive Definition of Security
- Operational Definitions for Security
- Information Assurance Markup Language
- Security Quarks help communicate with non IT people
- Security Quarks and the Cookie Monster
- Information Security Paradigms
How can you Measure how Secret a Secret is?
Download the full Article
When a few know something and want to keep others from learning, that’s a secret. Everyone has secrets, some small, like eating a bar of chocolate when you are on a diet, some are personally important, like a embarrassing personal or professional mistake in the past. There are as many types of secrets as people and organisations that keep them, among them:
• Personal secrets and family secrets, normally related to the moral and taboos of the culture where they live.
• Business secrets, like financial information, strategy and trade secrets.
• Law enforcement secrets, like forensic or methods, investigation information and details about ongoing investigations.
• Crime secrets, like insider trading, organised crime and gangs.
• Political secrets, (Most nations have some form of Official Secrets Act and classify material according to the level of protection needed) like:
o Weapon designs and technology (nuclear, cryptographic, stealth).
o Military plans.
o Diplomatic negotiation positions.
o Intelligence information, sources and methods.
o International relations, secret treaties like:
o Military plans.
o Diplomatic negotiation positions.
o Intelligence information, sources and methods.
o International relations, secret treaties like:
• Molotov-Ribbentrop pact.
• Cuba crisis agreement.
• Dover treaty.
• Quadripartite agreement.
• Sykes-Picot agreement.
• Cuba crisis agreement.
• Dover treaty.
• Quadripartite agreement.
• Sykes-Picot agreement.
• Social secrets, like certain religions or secret societies as the masonry.
• Professional secrets, like health workers, social workers and journalists.
• Other, like video tape rental and sale records in the USA.
While we all have an intuitive way to distinguish small secrets from high secrets, there hasn’t been so far a way to measure it.
By using the following formula:
Secret = Log C*(Sum Tdk / Sum Tk) = Log C + Log ( Sum Tdk / Sum Tk )
Where C is the quantity of information, Tk is the time someone has known the secret, Tdk the time has had interest in knowing the secret.
If C=1, we can see some examples:
¿Who did “Famous for Nothing” went with for a dirty weekend last summer? If two people know since the 1st of August, 48 more since the 1st of September and 100.000 coach potatoes would like to know and they find out after five months, just before revelation the secrecy is:
S = Log ((100.000 * 5) / (2 * 5 + 48 * 4)) = 3,39
if only 8 people had found out in September, the secret would be S = 4,04
¿Who killed Kennedy? Let's suppose two people know since 1963, and 300 million Americans would like to know. After 42 years:
S = Log( 300 million * 42 / 2 * 42 ) = 8,1
¿Who was Deep Throat? Just before it was found, 4 people knew, and 300 millions were interested. After 33 years:
S = Log( 300 million * 33 / 4 * 33 ) = 7,8
What if 2 more people had found out after 30 years?
S = Log( 300 million * 33 / (4 * 33 + 2 * 30) ) = 6,7
At a business, perhaps a secret is important for a few years, and all your competitors would be eager to know. If 10 people in the company know for a year, and 150 people from other companies would like to know:
S = Log( 150 * 1 / (10 * 1) ) = 1,17
If after two years the market is more competitive and more people (1500) is interested:
Secret = Log (1500 * 1 / (10 * 1) ) = 2,17
For the sake of example, I will use the following groups for measuring secrets:
• Family 10
• Social environment 100
• High school 300
• Competition 300
• Gang 50
• Police 100000
• Army 1000000
• Population 30000000
• Foreign Armies 15000000
Applying the formula, the following approximate values can server as examples of measured secrets:
• A social secret, like the confidence of a friend or an alibi of where you slept, 0,70
• Secret signs and telling signs from a gang, 0,95
• Hiding a mistake, like breaking something, 1,00
• Keeping the privacy of others like a confession, or the social situation of someone, 1,00
• Keeping the privacy of an average person like a list of video rentals of records of library use, 1,04
• Cheating on your wife/husband, 1,44
• Secrets from a Masonry, Scientology or Mirrahism, 1,48
• A regular trade secret, 2,18
• A mistake or wrongdoing of a politician 2,40
• Mafia, Yazuka or insider trading, 3,30
• Keeping the privacy of a politician like a list of video rentals of records of library use, 3,48
• Identity of a witnesses in a criminal case, 5,70
• A journalistic source, 5,78
• The Coca cola formula, 6
• Corruption, misuse of public funds 7,57
• Nuclear weapons, cryptography, 8,00
• Osama Bin Laden location 8,50
Mysteries, secrets known by no one, like those discovered by Champollion when deciphering Egyptian hieroglyphics have S=infinite.
Ignorance on the existence of the secret makes it less secret, as the interest on learning it is less, and the effort on keeping it secret is lower as well. Unfortunately it is very difficult to estimate the number of people interested in a secret, so the accuracy measuring secrecy won’t normally be very high. This way of measuring secrets can lead to some interesting exercises, like adding a factor to the formula for how intense is the interest for learning the secret or analyzing the diffusion of a secret in a group depending on the likelihood of every member of the group of revealing it.
Measuring secrecy can help to gain an understanding on how secret is the information we handle and the kind of efforts to make to keep it secret. To have a clear understanding on the reasons for keeping the secrecy and the influence of time, interest and group of people who know the secret, can give insights on how to manage secrets properly. Two conclusions can be easily drawn from the formula. Firstly, preventing others to know the existence of the secret makes it easier to keep it; Secondly keeping the group of people who know the secret as small as possible prevents leakages more effectively than any technical measure.
A clear understanding on the type of secrets in a organisation, how secret they seem to be, the impact of their revelation and a measure of their secrecy is the first step to a cost effective and efficient classification and protection of secrets.