Risk Analysis Makes No Sense … does it?

Shows the difference between systematic and un...
Image via Wikipedia

Take a look at this article.

You’re back?  What did you think of it?

OK, now look again, scroll down the section titled “Risk Management“.  It picks up on a number of themes I’ve discussed and has this interesting observation:

Prioritization of security efforts is a prudent step, naturally. The problem is that when risk management is done strictly by the numbers, it does deceptively little to actually understand,  contain, and manage real-world problems. Instead, it introduces a dangerous fallacy: that structured inadequacy is almost as good as adequacy, and that underfunded security efforts plus risk management are about as good as properly funded security work.

Guess what? No dice:

The author goes on to illustrate a number of ways that the approach we as the InfoSec community have preached and practised makes no sense.

The first relates to the matter I have raised about treating risk as a scalar when the elements of the risk equation are vector quantities, that you “can’t change just one thing”.

True, but … we are well aware that a threat is a threat to not just one asset. If we are honest, and I’ve illustrated examples of this too, we know that adding a control can actually increase the probability of an exploit elsewhere. Most controls address more than one threat, more than one vulnerability and more than one asset. This kind of cross influence makes it more like using matrices in the CRE than vectors.

Non the less, the author’s argument holds. When he makes the point “Statistical forecasting does not tell you much about your individual risk” he is telling you that its OK if by the numbers you or your beloved died of curable disease because the financial analysis showed that to develop a drug that was 100% effective would cost a lot, LOT more than the one that was only 80% effective … and being budget-limited there had to be prioritization. You may accept the logic but its no consolation when the time comes to put flowers on the grave or explain to the children why mommy isn’t here any more.

Those of us from military backgrounds may, along with the historians, recall “wars of extinction”, threatened, waged and some completed.  From “Carthago delenda est!” to “The Final Solution“: when your opponents had a clear and obsessive objective you simply can’t think in terms of ‘risk management‘. You deal with it or you are gone. Wars of extinction are all-or-nothing matters.

Finally, his point that the statistical basis that serves insurance companies so well, that of a large number of individual events, does not hold for InfoSec, is probably the greatest flaw of RA and the risk equation any risk equation that uses probability.

There’s probably a quotation by someone like Ranum, Schneier, Clarke or Hinson to the effect that there *ARE* threats, there *ARE* vulnerabilities and there *ARE* baseline controls which you have *no
* for failing to implement[1].

I’m of the opinion that doing a RA _before_ you’ve installed the baseline set of controls that are prudent or your industry and context, and that includes physical security, policy, awareness, logging and monitoring, is pointless. After all, you don’t do the RA on locking the doors during a vacation trip on your house while its still being built, when its just the framework with no roof, doors or walls.

[1] I’m told by Tom Slodichak of Whitehat Inc that after a risk assessment exercise he once recommended a client get a firewall. Visiting them a year later he found that did get a firewall.
And it was still in the box – unopened.

Enhanced by Zemanta

About the author

Security Evangelist

Leave a Reply