Shostack + Friends Blog Archive


Rethinking Risk

Now it’s no secret to those of you who know me that I’m a big believer in using risk management in the security space. Iang over at Financial Cryptography think’s it is “a dead duck”:

The only business that does risk management as a core or essence is banking and insurance (and, banking is debatable these days). For all others, risk management is just an ancilliary aspect, a nice-to-have, something that others say is critical to you, but you ignore because you’ve got too much to do. So we have a choice: is security like finance, or is it like “the rest of business?”

I disagree while it’s true that financials and insurance have done a much better job then anyone else of formalizing their risk management practices, every business does risk management to some degree, it’s part of the job of the C-Suite. Arguing that we don’t have data so trying to do it in security is pointless is taking the lazy way out. It’s true we don’t have as much data as we’d like, but as Hubbard said, (more or less) “You don’t need as much data as you think, and you have more data then you think.” or in other words, we have to start somewhere.
On a related note, The Economist ran an article at the beginning of this year, from which I took the title of this post “Rethinking Risk.

What makes the current situation so dire is the way in which so many major risks are converging all at once: a credit crisis, volatile commodity prices, soaring government debt, rising unemployment and its attendant impact on consumer spending — the list goes on.
None of those risks are lost on CFOs, of course, who now have an additional impetus to address them: more pressure from boards. Corporate directors in most industries have gotten risk religion, says Henry Ristuccia, U.S. leader of Deloitte’s governance and risk-management practice in the Northeast. “More external directors are asking senior management: What are the company’s major risk issues? What are the dimensions of governance and risk management? What levers and tools does the company have in place for risk management?

Now, The Economist doesn’t explicitly talk about security but as several companies including Hannaford and TJ Maxx learned, just because you’re not in the finance industry doesn’t mean you don’t face significant financial or security risk. A shame neither of them had real risk management in place.

6 comments on "Rethinking Risk"

  • patrick says:

    My previous post was incomplete – please delete it, if you can.
    Risk assessment and risk management are two different activities. I have no personal information that these activities did or did not take place at TJX, Hannaford, or Heartland. Or if they did take place, what the decisions were.
    I think we have to be careful about assuming a chain of causality when looking at historical events – i.e., assuming that incidents have occurred because of a failure of risk management.
    Sometimes, understanding the consequences, people roll the dice, and lose. Sometimes the consequences of losing can be significant/catastrophic.
    Sometimes people roll the dice and pass or attempt to pass the consequences on to someone else – i.e., what Wall Street has done in the current crisis – some of these fat cats knew exactly how risky the CDO’s were. Unfortunately for the rest of us, it was not illegal for them to pass those instruments on while reaping huge profits. Not a failure to understand risk on their part, but rather, clever, conscienceless, greedy behavior.
    We also have to remember that risk assessment is basically about predicting the future. Some events can be predicted with little uncertainty – i.e., what will happen when you drop a ball from 5 feet above the ground.
    Other events, where large uncertainties exist, or when long time frames are considered, can only be predicted within broad ranges of confidence, if at all.
    my 2 cents worth

  • Dean Loomis says:

    Saying that risk management is a dead duck implies that it was alive at some point. Risk management is more like the city floating in the sky in the distance across the blazing desert. This is for four major reasons:
    1.Our so-called “theories of risk” are nonsense. We don’t know how to attach credible numbers to threats, exposures, losses, or assets (unless those loss and asset values are money in current accounts). Do the basic physicist’s step of “dimensional analysis” and your units don’t match.
    2.Our data are worthless. Tons of worthless data is still worthless. Security “analyst” companies that purport to compile attack data like number of spam messages per day keep their coverage and methods secret so that they can’t be validated or falsified. US-CERT notwithstanding, overnment agencies corresponding to the Centers for Disease Control don’t exist, and don’t have the legal basis that the CDC does for collecting decent data.
    3.Many “risks” are intrinsically unmanageable. Nasim Taleb writes about black swans, but computer systems are even worse. There are fundamental theorems in computer science that say that for any computer system powerful enough to be useful, it’s impossible to prove that it is free of catastrophic defects. The hacker’s job is to find those defects and exploit them.
    4.Our systems are too complex for us to understand. The vulnerabilities that we know about number in tens and hundreds of thousands, and we don’t have any tools that tell us how to assess their impact on enterprise-class systems comprising dozens of servers (not to mention “cloud computing” platforms of tens of thousands of servers), even if our theories made sense.
    Computer security much more like military defense or public health than it is like managing an electric power grid. And even the grid has blackouts.

  • Hi, I’m a new poster to this blog though I have been a lurker for quite some time. This is an interesting conversation and I’d like to jump in if I may…
    I think that there is more than a semantic difference between information security and risk management. We talk about making information secure when we talk about information security like that is a finite state as if it is something that can be truly achieved. When you talk about risk management you talk about trying to manage a system that by definition is constantly changing. This is the age old argument between qualitative and quantative analysis.
    I’m not quite ready to attend risk management’s funeral. I agree that we can’t attach credible numbers to threats, exposures, etc as Dean Loomis points out. When you look at current studies and surveys, I think all of us would agree that they reflect only a fraction of what is happening out there in real life. In that respect I don’t think that the data we currently have can be used for the precise types of measurement that a lot of people would like to use it for. In fact I think that it is actually dangerous to use the data that way. We can however use this data to discover trends. Our measuring stick may be off but if we keep using that same level of flawed measurement we can begin to discern changes over time.
    Risk management is about managing trends and making decisions with less than optimal data. It is also about accepting the fact that you’ll judge the risk wrong occasionally. This is part of life. So many people want to make life binary: a zero or a one; secure or insecure. In my experience life doesn’t work that way so why do we want to try to create a way of managing risk that doesn’t reflect real life?

  • Mr Chips says:

    @ Dean
    Have you seen the OBASHI methodolgy on wikipedia?
    Its foundations are in management of risk in Oil & Gas, where complexity has to be documented, understood and communicated otherwise things blow up.

  • Don Sweezy says:

    Risk management as the basis for information security planning is alive and well in healthcare (required by HIPAA) and for federal systems (required by FISMA). More importantly, though, it can solve one of our oldest problems: lack of resources in the trenches.
    We have established a formal process to report unmitigated risk back to the resource manager (the “business owner” of the app). That manager must then either accept the risk (accredit the system as it stands), or provide the resources to fix it. They hate “accepting risk” even more than they hate to spend money, so this process has produced significant results.

  • The banking comment seems to have caught a few by surprise so I have clarified it on the blog, click on “We may have risk, but _banking is risk_”.
    > I think that there is more than a semantic difference
    > between information security and risk management….
    > I’m not quite ready to attend risk management’s funeral.
    Right. There are semantic issues here, and there are differences and directions. In between all the complexity, people try and draw a line between what is true and what is not. Perhaps to sell a product, perhaps to float a theory.
    That’s what that post was about; trying to knock out some of the popular claims in the security field. We know it isn’t working, and now the hard work begins. Why isn’t it working, and what to do next?

Comments are closed.