A colleague in InfoSec made the following observation:
My point - RA is a nice to have, but it is superfluous. It looks nice
but does NOTHING without the bases being covered. what we need
is a baseline that everyone accepts as necessary (call it the house
odds if you like...)
Most of us in the profession have met the case where a Risk Analysis would be nice to have but is superfluous because the baseline controls that were needed were obvious and 'generally accepted', which makes me wonder why any of us support the fallacy or RA.
It gets back to the thing about the Hollywood effect that is Pen Testing. Quite apart from the many downsides it has from a business POV it is non-logical in the same way that RA is non-logical.
In presentations I ask people what they do before going on holiday to 'secure' their house. They call out things like 'turn off the gas', 'cancel the milk/post/newspaper, 'lock the doors and windows', 'board the dog'. This is all baseline sensible stuff. We see it because we are used to being in the physical world, but the e-world is often invisible.
What do I mean, invisible?
If I have 50,000 books I can see them; on the couch, the bed, shelves, tables, chairs ...
If I have 50,000,000 ebooks, what do I see. Exactly the same box as if I had only 1.
So all those basic precautions are 'out of sight, out of mind'.
And then there's the 'specialist' ability to perceive what others don't.
I'm sure medical doctors will tell us of the many medical conditions he can tell of just by watching someone walk by and looking in their face, the whites of their eyes, the colour and texture of their skin. My optometerist deals with children who are not able to respond to questions about eye tests in the way that adults can, but he can tell the perscription they need by looking in their eyes.
All of which would be meaningless - just another face in the crowds - to the rest of us (.... oh, those fatty deposits around the edges of your eyelids, Anton ...) But its the sort of skill the real professional has.
So many things are 'obvious' to us InfoSec professionals, where we infir causality and risk, but not to the CIO or not even to the IT staff. Why? Because its our domain of knowledge.
We may argue among ourselves, but that's true of any profession.
However its beside the point unless it gives clients the impression that this is all nonsense.
Which end of the egg you crack isn't what matters.
Having a good breakfast is what matters.
Which gets back to the point Donn Parker makes repeatedly.
Unless you have a good - "Context is Everything" - baseline in place, no method of RA is useful. While you are off pondering your RA - which isn't, as Donn points out, going to tell you what controls to install - the Bad Guys(tm) have moved in and moved out your crown jewels.
A poor attitude toward IT risk on the part of the BoD (or BoG in some other countries) seems quite common. You present a Risk Analysis and they say "We'll accept the risk". Part of this is the difference in attitude to what they see as risk, the business model vs the infosec model. Part of it is 'emotional'; they don't, as Donn points out, want to hear or think about the potential for bad things to happen. They are businessmen, they are concerned with profit and growth and opportunity and market and all those B-school things.
Part of it is that we in InfoSec are not doing a good enough job communicating the issues.
What I'm disturbed by is the way that 'standards bodies', NIST, ISO and now I see it gaining ground at ISACA, are MANDATING Risk Analays. In particular mandating it as a prior step rather than as a "gap analysis" after establishing an well considered BASELINE.