Comments on: Rethinking Risk

By: Iang (We may have risk, but _banking is risk_)

Iang (We may have risk, but _banking is risk_) — Sat, 24 Jan 2009 18:38:31 +0000

The banking comment seems to have caught a few by surprise so I have clarified it on the blog, click on “We may have risk, but _banking is risk_”.
> I think that there is more than a semantic difference
> between information security and risk management….
> I’m not quite ready to attend risk management’s funeral.
Right. There are semantic issues here, and there are differences and directions. In between all the complexity, people try and draw a line between what is true and what is not. Perhaps to sell a product, perhaps to float a theory.
That’s what that post was about; trying to knock out some of the popular claims in the security field. We know it isn’t working, and now the hard work begins. Why isn’t it working, and what to do next?

By: Don Sweezy

Don Sweezy — Thu, 22 Jan 2009 19:09:54 +0000

Risk management as the basis for information security planning is alive and well in healthcare (required by HIPAA) and for federal systems (required by FISMA). More importantly, though, it can solve one of our oldest problems: lack of resources in the trenches.
We have established a formal process to report unmitigated risk back to the resource manager (the “business owner” of the app). That manager must then either accept the risk (accredit the system as it stands), or provide the resources to fix it. They hate “accepting risk” even more than they hate to spend money, so this process has produced significant results.

By: Mr Chips

Mr Chips — Thu, 22 Jan 2009 18:08:52 +0000

@ Dean
Have you seen the OBASHI methodolgy on wikipedia?
Its foundations are in management of risk in Oil & Gas, where complexity has to be documented, understood and communicated otherwise things blow up.

By: Graydon McKee

Graydon McKee — Thu, 22 Jan 2009 10:52:08 +0000

Hi, I’m a new poster to this blog though I have been a lurker for quite some time. This is an interesting conversation and I’d like to jump in if I may…
I think that there is more than a semantic difference between information security and risk management. We talk about making information secure when we talk about information security like that is a finite state as if it is something that can be truly achieved. When you talk about risk management you talk about trying to manage a system that by definition is constantly changing. This is the age old argument between qualitative and quantative analysis.
I’m not quite ready to attend risk management’s funeral. I agree that we can’t attach credible numbers to threats, exposures, etc as Dean Loomis points out. When you look at current studies and surveys, I think all of us would agree that they reflect only a fraction of what is happening out there in real life. In that respect I don’t think that the data we currently have can be used for the precise types of measurement that a lot of people would like to use it for. In fact I think that it is actually dangerous to use the data that way. We can however use this data to discover trends. Our measuring stick may be off but if we keep using that same level of flawed measurement we can begin to discern changes over time.
Risk management is about managing trends and making decisions with less than optimal data. It is also about accepting the fact that you’ll judge the risk wrong occasionally. This is part of life. So many people want to make life binary: a zero or a one; secure or insecure. In my experience life doesn’t work that way so why do we want to try to create a way of managing risk that doesn’t reflect real life?

By: Dean Loomis

Dean Loomis — Wed, 21 Jan 2009 23:23:12 +0000

Saying that risk management is a dead duck implies that it was alive at some point. Risk management is more like the city floating in the sky in the distance across the blazing desert. This is for four major reasons:
1.Our so-called “theories of risk” are nonsense. We don’t know how to attach credible numbers to threats, exposures, losses, or assets (unless those loss and asset values are money in current accounts). Do the basic physicist’s step of “dimensional analysis” and your units don’t match.
2.Our data are worthless. Tons of worthless data is still worthless. Security “analyst” companies that purport to compile attack data like number of spam messages per day keep their coverage and methods secret so that they can’t be validated or falsified. US-CERT notwithstanding, overnment agencies corresponding to the Centers for Disease Control don’t exist, and don’t have the legal basis that the CDC does for collecting decent data.
3.Many “risks” are intrinsically unmanageable. Nasim Taleb writes about black swans, but computer systems are even worse. There are fundamental theorems in computer science that say that for any computer system powerful enough to be useful, it’s impossible to prove that it is free of catastrophic defects. The hacker’s job is to find those defects and exploit them.
4.Our systems are too complex for us to understand. The vulnerabilities that we know about number in tens and hundreds of thousands, and we don’t have any tools that tell us how to assess their impact on enterprise-class systems comprising dozens of servers (not to mention “cloud computing” platforms of tens of thousands of servers), even if our theories made sense.
Computer security much more like military defense or public health than it is like managing an electric power grid. And even the grid has blackouts.

By: patrick

patrick — Wed, 21 Jan 2009 13:32:57 +0000

My previous post was incomplete – please delete it, if you can.
Risk assessment and risk management are two different activities. I have no personal information that these activities did or did not take place at TJX, Hannaford, or Heartland. Or if they did take place, what the decisions were.
I think we have to be careful about assuming a chain of causality when looking at historical events – i.e., assuming that incidents have occurred because of a failure of risk management.
Sometimes, understanding the consequences, people roll the dice, and lose. Sometimes the consequences of losing can be significant/catastrophic.
Sometimes people roll the dice and pass or attempt to pass the consequences on to someone else – i.e., what Wall Street has done in the current crisis – some of these fat cats knew exactly how risky the CDO’s were. Unfortunately for the rest of us, it was not illegal for them to pass those instruments on while reaping huge profits. Not a failure to understand risk on their part, but rather, clever, conscienceless, greedy behavior.
We also have to remember that risk assessment is basically about predicting the future. Some events can be predicted with little uncertainty – i.e., what will happen when you drop a ball from 5 feet above the ground.
Other events, where large uncertainties exist, or when long time frames are considered, can only be predicted within broad ranges of confidence, if at all.
my 2 cents worth