Changing the Rules to Affect the Results

Oct. 27, 2008
IT security practitioners are dealing with organizations that are trying to change the rules before the reports are submitted

It was hot as only Washington, DC, can be hot. It's not simply that the ambient temperature is 93 degrees. It's the suffocating heat combined with 90 percent humidity. In the city, the heat factor must include backed-up traffic stalled on Constitution Avenue for no apparent reason, with irate drivers adding the sound of car horns to the cacophony of dump trucks, jackhammers and idling busses full of schoolchildren visiting from the Midwest. Blend in the olfactory mix of stagnant water, diesel exhaust, and sweaty humans crowding the sidewalk, and you have a hot day that assaults all your senses.

I took a zigzag path through the stopped cars on Constitution with my sports coat hanging over my left shoulder and my 30-pound computer bag slung over my right. With relief, I finally popped into the marginally air-conditioned university center and went directly to the mailroom to perform my once-a-week check of the receptacle that erroneously identifies me as Dr. McCumber. I then took the stairs to the next floor, which hosts the tiny office I share with two other part-time faculty members. As I rounded the corner with my key in hand, I saw a student who had been in one of my classes the previous academic year standing next to the door.

"Hi, Rene. I hope you weren't waiting for me. My office hours are pretty erratic; that's why I post my cell number here," I said, pointing to the door while trying to mop the sweat from my forehead with a too-small handkerchief. "No problem, Mr. McCumber. I just got here," he replied. "Can we talk?"

"Sure," I said. "Come on in. If you want to sit down you'll need to move those books off the chair and put them on Dr. Ryan's desk."

I was wary long before he started to ask his question. His breezy greeting poorly disguised his body language. The crossed arms, tight facial expression and clenched hands meant he wanted to battle me over something. I'd taught graduate classes for more than a decade, and I knew that stance almost always meant a grading issue.

As he continued to talk his way around the main point, I mentally summoned the grade I had assigned him for his efforts during the fall semester: a B minus. Sure enough, he started quizzing me on my grading methodology and asking seemingly innocuous questions about the grades of other class members. I knew if I wanted to get to my class on time, we would have to cut to the chase. I raised my hand to interrupt his fourth question about how I grade finals.

"Rene, are you here to complain about your grade?"

He looked at his shoes. "Yeah, I guess so. I really wanted an A."

"I wanted to give you an A. But you failed to the meet the criteria I outlined in the syllabus for an A grade. You earned a B minus."

"But I really need an A. Could I write you a paper? I have an interesting book on malicious code, and I could crank out a pretty good report if you'd like. Isn't there something I can do now to boost my grade?" he asked.

"No, Rene, sadly there is not. I formally submitted those grades more than four months ago. I don't change grades after the class is over. The university will only allow me to change a grade if I can show proof that I made a mistake. I didn't make a mistake. I distinctly recall being very disappointed in the quality of your project paper and your final."

I could see the light go on in Rene's head, and the words started to tumble out in a torrent of paralegal defense. "But I think you made a mistake. I don't think you fairly graded my project paper. Sure, I made a bunch of grammar and spelling errors, but you can't ding me for that in a computer class. Also, I think I read somewhere that if you deviate from the syllabus"--here he fumbled in his backpack for my syllabus-"you need to change the grading scheme. It looks like you made a mistake."

"I'm sorry you feel that way, Rene," I said, "but I use an empirical method to calculate your grade. It's there on your syllabus. I also documented our minor deviation from the syllabus, as you recall. I can forward you the e-mail. There's no mistake, and I do not negotiate grades after the course has ended. Sorry, but I have to get to class."

Unfortunately, Rene's challenge was not an isolated event. Nearly every semester, some students make an attempt to improve their grades after they see their end-of-course results. The usual plea involves either accusations of errors on my part or offers to demonstrate a mastery of the material that they hadn't displayed during the semester.

Earlier that same muggy day, I had been having lunch with the chief information security officer of a large federal agency. She and I were preparing to have salads with some members of her staff in a nice Mediterranean cafe overlooking the bustling Rosslyn Metro station. As we sipped our iced tea waiting for our lunch, we discussed the challenges of defining and managing risk in government IT systems.

She was lamenting the problems that had arisen when the most recent set of government requirements for IT security management was promulgated. It should come as no surprise the federal government has rules for its IT security. The government has rules and regulations for everything. The problems arise with the interpretation of these rules.

The initial-and key-aspect of these government reports is determining a) what information resources they need to perform their mission, b) where these assets and located, and c) what would happen if these assets became unavailable or corrupted. Even the government recognizes you don't pay thousands of dollars to protect something worth only hundreds. The problem, however, lies in what metrics people use to determine the value of the information.

For my friend's organization, this has become a rather large loophole.When the data owners realized the task would be minimized if the value of their information were low, they adapted the metrics to minimize the value of their organizational information. It seemed that when they needed to assess the risk to their information, their information resources were nearly worthless.

These same people, however, would scream bloody murder when their systems went offline because of security breaches or malicious code outbreaks that were not contained by a security team that could not accurately assess the need for security technologies and policies.

As the chief information security officer, my lunch partner is responsible for compliance with these regulations and is being held accountable. But her ability to meet the spirit of the regulations is constantly hampered by many in her organization whose desire was to only meet the letter of the law.

My lackluster student Rene wanted to change the rules used for grading after the semester ended. IT security practitioners are dealing with organizations that are trying to change the rules before the reports are submitted. In both cases, the misguided people are changing the rules to affect the outcome. Sadly, it's only a symptom of another problem. The real cause is pure, old-fashioned laziness. The student wants a good grade without the effort, and the government organization wants good IT security without the effort. So they simply try to change the rules.

John McCumber is an IT security professional and the author of Assessing and Managing Security Risk in IT Systems: A Structured Methodology, the new book from Auerbach Publications. He can be reached at [email protected].

This article was published in the March 2005 issue of ST&D magazine.

About the Author

John McCumber

John McCumber is a security and risk professional, and author of “Assessing and Managing Security Risk in IT Systems: A Structured Methodology,” from Auerbach Publications. If you have a comment or question for him, e-mail [email protected].