Take a look at
Forget ROI and Risk. Consider Competitive Advantage
by Richard Bejtlich
I note the line that so many of us in the InfoSec business have encountered and complained about …
As we’ve seen during the last few years, “risk” has turned out to be a dead end too. The numbers mean nothing. Even if you could somehow measure risk, it’s easy enough for managers to accept a higher level of risk than the security manager.
But so many ‘authorities’ – ISO-2700x, ISACA’s COBIT, ValIT and RiskIT as well as its Professional Practices – all focus on Risk Analysis.
We’ve recently seen mention of NIST 800-30.
There on page 9 a nine-step (why not 12-step?) program for what they call “Risk Assessment”. Actually it isn’t; it involves controls and results. I makes it look sooooo simple! But as many practitioners have pointed out, in many ways, its not like that in reality. Many of us question if its doable.
Yes, I know, some moderates say that it doesn’t matter, that it doesn’t need to be “complete”, that you just needed to address the “big ones”.
“Big ones”? Does that mean high probability or high impact? Because they are not necessarily the same thing. A “Dinosaur killer” meteor impact has a low probability but large – pardon me – impact.
Low probability? Well, yes, The solar system is old and we are long past the era of “The late Heavy Bombardment” and the moon has rotated its leading edge to face us. All that was 4 BILLION years ago compared to the Dinosaurs mere But the Dinosaurs came well after the LHB as well.
The Chicxulub crater, attributed to the “Dinosaur killer” strike, dates to just 64 million years ago, a lot later than four BILLION.
I’m sure the the Dinosaur-scientists could make the same calculations we have and come up with the same risk analysis.
As I see it, Bejtlich’s analysis is rather like a “Why did the chicken cross the road” situation. Yes, “to get to he other side”, because there was some advantage in being on the other side. Call it “competitive advantage” if you like. Was there a risk analysis involved? Maybe. Do you do a risk analysis whenever you cross the
road? Perhaps you do, but perhaps its so deeply conditioned that you don’t think of it: go to the crossing and wait for the lights to change from “Don’t Walk” to “Walk”. Yes, you can argue that this is “risk mitigation” – compared to jaywalking. We can slice it thinner and thinner and argue over the details, but the reality is that we really don’t do much of the kind of ‘risk analysis’ that our InfoSec textbooks talk about in our real life.
In Amanda Ripley’s “The Unthinkable” she mentions that our perception of risk has a lot to do with what she
terms “dread”. That ties in with ‘drama’ (as in Dramatic).
She gives many examples as she unfolds her reasoning, but we know many of them already. She points out that the “news” we see on TV and the paper is “news” because it is uncommon. Its also made to look dramatic – which is why it is ‘newsworthy’. Another kind of ‘dramatisation’ is the proverbial “Glossy Airline Magazine Article” that impresses executives when they are a captured audience.
By contrast, the common place is boring and we filter it out. Even when it is the real risk that applies to us.
Whatever the probability of a meteor strike, whatever the probability of a terrorist attack, whatever the probability of an plane crash, the really common things that probably are going to affect you don’t get dramatised. In the the “foreign” wars that the USA has been involved in, 1918, 1941-45, Korea, Vietnam, Gulf I and II, Afghanistan, the probability of getting killed or injured in service has usually been less or the same as being killed or injured in a automobile accident on the roads. This isn’t a new statistics; its often quoted and even more often overlooked.
Ripley points out that this lack of understanding of real risk caused yet more deaths in the aftermath of 9/11. The terrorist won: people were scared of flying so they drove long distance, which was more accident prone than flying. The statisticians figured that an _additional_ 2,300 people died in car accidents above the norm because of this. I say ‘the terrorists have won’ because the _response_ to the attacks is more devastating than the attacks themselves.
The way we deal with risk in real life has less to do with probability and more to do with the balance of dread and optimism. And lets face it, we in InfoSec are the “paid to be paranoid” crowd. you can’t call us the most optimistic of people.
Ripley describes “dread” as the sum of our feelings of
- * Lack of Control
- * Unfamiliarity
- * Imagination
- * Potential Suffering
- * Unfairness
- and expectation of the Scale of Destruction.
We may be safer in a commercial airliner than in our cars, but our cars are familiar and we feel we have control of them.
So when a certain manager I had to deal with was more concerned about viruses attacking the AIX server farm than the risks of the admin accessing then over the ‘Net using unencrypted telnet, he was focusing
on what he was familiar with, even if it wasn’t relevant.
Related articles by Zemanta
- Scientists reassert that asteroid killed dinosaurs (thestar.com)
- Terrorist Attacks and Comparable Risks, Part 2 (schneier.com)
- “It’s Time For A New Attitude!” (hellobeautiful.com)
- Jeff Schweitzer: Managing Risks in Public Policy: Impact vs. Probability? (huffingtonpost.com)
- Risk Management Risk Management Outline: (slideshare.net)