Risk management is the method most often used as the path to reach reasonable and appropriate spending and management of security controls. However, there seems to be contention between security professionals who believe this is the proper approach and those who believe that risk management is fundamentally flawed.
The following pros and cons are my reflections on two recent, opposing articles about this topic. The pro position was taken by Jay G. Heiser in an Information Security magazine article titled “Fad or For Real” (February 2007, p. 20).
- Looking at mainstream information security doctrine, risk is a basic metric in security management. Risk assessments are performed based on the formula
Risk = Threats * Vulnerabilities * Impact
I agree with Heiser’s assertion that there is nothing certain in business. Rather, decisions about how much risk to accept are based on the probability that an unwanted event will occur plus the annualized business impact of that event. Using this approach, appropriate controls are put in place to ensure reasonable and appropriate protection for the business. Attempting to eliminate all risk is not a sound business decision from a cost perspective. At some point you arrive a point of diminishing returns.
Security risk management integrates well with the way business managers make decisions. It allows security managers to speak a language decision makers understand.
Use of risk management tools helps security professionals align with business objectives rather than focusing entirely on destroying a vulnerability as soon as it raises its head.
The con position was described very well in an article by Donn B. Parker titled “Risks of Risk-Based Security” (Communications of the ACM, March 2007, p. 120). This is my interpretation of Parker’s position:
Decision makers might find it too easy to accept vulnerabilities if mitigating them takes necessary resources from accomplishing a business objective.
Security managers often find themselves attempting to make a business case to protect against something that hasn’t happened yet. It’s difficult to quantify the business impact of security incidents that have never happened or rarely occur.
In essence, risk reduction is guesswork at best. It isn’t a valid metric of the company’s commitment or effort to address matters of potential negligence, ethics, regulatory compliance, and protection of the company brand. According to Parker,
“Security risk is not measurable, because the frequencies and impacts of future incidents are mutually dependant on variables with unknown mutual dependency under control of unknown and often irrational enemies with unknown skills, knowledge, resources, authority, motives, and objectives—operating from unknown locations at unknown future times…”
Quantitative risk assessments are not effective because it’s difficult, if not impossible, to obtain the actual costs related to an incident. Qualitative assessments are not effective because humans are bad at assigning values to risk.
Threats evolve over time. A risk assessment performed yesterday might have very different results if performed tomorrow.
Both Heiser and Parker make good arguments for their positions. However, my experience shows that leaning too far in either direction is a bad idea. I use risk assessments every day to help determine risk.
When I present the results, I also qualify my assessment scores with a statement that they are simply a guideline. Variances in qualitative or quantitative measures, evolving threats, and how much effort an attacker is willing to expend to reach an attack objective are all discussion points. Using unqualified risk scores as the only input into a decision about the right security controls is a mistake.
Security management is not an exact science. As a director of security, it’s my responsibility to educate business managers on the moving target at which we aim every day. I do this while working diligently to ensure that security is an enabler; a means to efficiently meeting business objectives in relative safety.