top of page

Jan 17, 2024

Towards Sustainable Cyber Admittance

Navigating the Currents of Cyber Admittance: From Heaviside's Legacy to Sustainable Information Security

From the desk of Mike Wilkes

Always in search of new analogies and metaphors, I was doing some research on bioacoustics and vortex-based acoustic tweezers and I came across a lovely word that looks familiar, but which carries a deeper meaning upon further inspection: admittance. It is, in electrical engineering terminology, the reciprocal of impedance in a circuit. Impedance is the effective resistance to current and so admittance is the ease with which a circuit will allow current to flow. This got me thinking about what might be the nature of cyber impedance in an organization and its logical reciprocal: cyber admittance. The best analogies walk a fine line as they must present something sufficiently familiar while at the same time represent something dissimilar. If the analogy is too similar, it explains nothing and is merely a repetition or “department of redundancy department.” And if the analogy is too dissimilar then it fails to bring the new concept or perspective into one's understanding. The concept of how to encourage cyber admittance in an organization feels like a good analogy with well-designed and well-functioning electronic circuits.


How do we support the flow of a security mindset, security awareness, threat intelligence sharing and best practices within the domain of our business, our respective industries and our economy? Add to this the idea that we cannot simply have a “one and done” approach to cyber admittance and we arrive at the phrase sustainable cyber admittance. What are the structures of organizations and inter-organizational pathways and communications that foster the healthy flow of information security?


Meet the inventor of the term admittance, Mr. Oliver Heaviside. He coined the term admittance in December 1887. He was, by most accounts, a difficult man who lived most of his life fighting against the scientific community as a self-taught mathematician and physicist. His work, however, significantly shaped the development of telecommunications, mathematics, and science. He patented the coaxial cable in England in 1880 for example. The word “underappreciated” definitely comes to mind after reading about his contributions and accomplishments. If admittance is measured in siemens, then it seems appropriate to suggest that we might measure cyber admittance in heavies. The more “heavies” in your organization the better.


Managing Risk


Information security has three pillars: confidentiality, integrity and availability. The term cyber security deals mainly with the vast network of connected devices and systems that make up our critical infrastructure and digital society. At the end of the day, cyber attacks are events that focus on disrupting one or more of those three pillars. Risk management, therefore, must concern itself with cyber security attacks. Events of the last few years such as the Colonial Pipeline breach, SolarWinds supply chain attack and many others have definitely moved cybersecurity discussions from the back room to the board room. In order to avoid bad things from happening, we must strive to build robust and resilient systems. Trustworthy systems that can withstand the attacks and attempted disruptions that bad actors deign to commit. To put the point even more clearly, we must embrace failure in order to survive the challenges that face our organizations with regard to information security and cybersecurity. Like a muscle, we must exercise our resilience and incident response in order to have it not atrophy. With this in mind, let’s explore the concept of sustainable cyber admittance and see what nuggets of truth and inspiration we can discern.


Perceived vs Actual Risk

I recall hearing Alex Stamos speak at an IBM cyber security conference in New York back in 2019 where he referred to a pyramid of risk. At the top of the pyramid you have zero-day vulnerabilities and other “shiny things” that are sexy risks with lots of attention and trade magazine coverage. These are not-so-likely to occur and yet garner a lot of attention. At the bottom of the pyramid you have all of the mundane and boring risks that we, as an industry, seem to have markedly less zeal and discipline to address like OS patching, egress firewall rules, DNS configurations and security headers like HSTS to pin requests to https. He pointed out that there are no extra points for difficulty in addressing risk. This is not an olympic diving competition where the judges score your effort based on the complexity of the dive. Given that information security is a risk management activity at heart, there are tradeoffs for cost and coverage of various kinds of risks. Unfortunately we, as humans, are notably bad at gauging actual risk. Bruce Schneier has a delightful and prescient TedX talk entitled “The Security Mirage” from 2010 that explores some of the reasons why we prefer to feel secure over actually being secure. Risk perception bias is a real thing, and to focus on cyber admittance we need to dismantle that bias as much as possible.



Take zombies, aliens and heart attacks for example. Why do we (collectively) fear zombies so much? Or aliens? The perceived risk of these two (as evidenced by Google searches, TV shows and movies) is orders of magnitude higher than heart attacks. Yet the real risk of death by zombie or alien abduction is negligible compared with death by heart attack. Similarly then we must work on identifying and addressing actual cybersecurity risks over perceived risks. You score more heavies when you have a culture and mindset to challenge risk perception bias and can avoid chasing after the shiny new vulnerabilities, many of which will never result in a breach or compromise. For a more detailed inspection of prioritization of risk, see an earlier piece I wrote entitled “The role experience plays in risk mitigation.”


A Quantum of Admittance

Electrons pass along circuits on semiconductor chips. We can quantify the precise number of electrons transiting a circuit as we build increasingly smaller chip fabs with densely-packed transistors. Moore’s law is an observation that the number of transistors in an integrated circuit doubles about every two years. So much of our modern digital life is predicated on this concept of chips getting smaller and more powerful. My Apple watch contains more compute and capabilities than the entire moon landing operation. But eventually we’ll be looking at a single electron traveling down a single circuit path and we won’t be able to make things any smaller. We can quantify our compute in gigaflops and teraflops and we can accurately measure the terabytes and petabytes of storage that our applications and APIs require, but how can we quantify admittance? 


What is a quantum of admittance? The equivalent of the electron or the atom for information security? That thing which is the fundamental building block of cybersecurity flow in the circuits that represent our business interactions with our service providers, partners and third-party vendors? It’s all well and good to muse about cyber admittance and to laud those organizations which score well with their heavies. But how do you know when you have one heavie? Or 100 heavies? Drawing upon our analogy of electronics and electrical engineering, we might begin to quantify cyber admittance with breach disclosures. A healthy circuit does not impede the flow of electrons from one component or system to another. In the cyber admittance space, that could be the sharing of an IOC or TTP with a ISAC or a regulator or law enforcement. 


STIX/TAXII are industry standards for sharing threat intelligence in a structured manner. One of the beautiful things about information is that it is not a finite resource like electrons or gold or petroleum. There is no future date that we might call “peak information demand” as we can predict for peak oil. The value of information and threat intelligence is increased dramatically by the degree to which it is replicated, shared and transmitted widely. The SEC introducing a 4-day cybersecurity material incident breach disclosure rule is increasing the cyber admittance for around 12,000 regulated and publicly-traded companies. The ease with which a company can identify, qualify and then disclose a breach incident is improving our collective cyber admittance. Unlike the first law of thermodynamics where one cannot create or destroy energy, information can be created and it can be destroyed.


Push and Pull

Lastly, there is a useful element of this analogy of admittance for cybersecurity that pertains to push and pull. Sustainable cyber admittance speaks to the idea that information should be flowing without resistance or friction within an organization. An imbalance can occur in the system if information is withheld or does not circulate in a healthy manner throughout the corpus of an organization. Messaging and collaboration tools like email and intranets, Slack and Teams are the lines of transmission. But remember that our digital world is a system of such systems. The flow of information and cybersecurity awareness also matters between organizations as well. Cyber admittance quantification needs to occur on the macro level and not just on the micro level. 


When a quantum of admittance is pulled, however, the effect is not that same as when a quantum of admittance is pushed. Breach events have been happening more often lately, but more often than not they were not disclosed internally or externally. New cybersecurity regulations are pulling more quanta of disclosures with the intent of providing investors and the market with a better view of cybersecurity risk. More risk quantification can occur and analysis of risk appetite is made possible by pulling the data. But this is an extrinsic motivation for the flow of information. The regulatory agencies are enacting rules and standards to create this flow. What if, however, we could find ourselves pushing admittance for intrinsic reasons? It seems fairly clear that a healthy and sustainable cyber admittance is not legislated.


bottom of page