Figuring out how vulnerable your software is to malicious attack has got to be right up there on the ‘hard to measure stuff’ league table. Why? Because anyone who knows how to hack your software probably isn’t going to tell you that they can. The most valuable exploits are the ones that no-one knows about. The key to this dilemma lies with ‘observable consequences’.
For several months in 2016 a media and legal battle raged between the FBI and Apple over unlocking the iPhone 5c of the San Bernardino shooter. The FBI demanded that Apple decrypt the iPhone, Apple refused. Eventually the impasse was resolved when the FBI paid $1.3 million to a private company for a hack that could decrypt the contents of the phone.
So what does this tell Apple about the security of their iOS operating system? Ivan Krstić, head of Apple’s security engineering and architecture had this to say…
As probably most of you know, there is a black market for software vulnerabilities, and once in a while some of the prices on the black market become known. Usually these prices are tens of thousands of dollars, sometimes $100,000. Take that with a grain of salt, but it’s a fascinating number to think about. What you’re seeing now is the result of a decade of our best work in protecting our users.
So Apple are using the free-market price as an indirect measure, or ‘observable consequence’, of their software security. It sounds like they are pretty happy that a ‘zero day’ exploit of iOS cost the FBI $1.3m.
Interestingly, this approach works for Apple because they do not offer a bounty for software vulnerabilities. Google, Facebook and Microsoft take an alternative approach and offer cash rewards for vulnerabilities. Although these other companies will get some indication from the volume of vulnerabilities offered to them, it may be hard for them to tell if a dip in bounty payments is because of better security or them offering ‘below market rate’ for exploits, so they only get part of the picture.
Observable consequences, like the market price of vulnerabilities, are the ‘hidden gems’ of the KPI world. They are often simple to gather, are leading indicators and can be brilliantly insightful. Observable Consequence KPIs naturally spring from a well designed KPI Tree. Choose the right KPIs based on observable consequences and you have an almost unfair advantage over your competitors. Perhaps it’s time to start thinking about how observable consequences can help your organisation?