Misnomer

I’ve written before how government agencies misuse terminology associated with information security but it seems to persist and continues to mislead.

The latest is the UK government releasing what they call a “National Risk Register”.

https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/61934/national_risk_register.pdf

English is a wonderful language, isn’t it? “national”? As in “nation-wide”, “applicable only to this nation” or “to the nation” (as in causing national bankruptcy or the land-mass to go drifting off into the Atlantic (as some anti-EU politicians would wish for).

But no, that’s not my beef. (I’m not a vegetarian.)

Its the inappropriate terminology.

“Risk” has a number of components when it comes to evaluation and doing
something about it. I’ve blogged and posted (mostly on Gary’s ISO27K
list) about this many times

One “Classical” (ex-ISACA of years ago, for example) phrasing goes[1]
   Risk is the PROBABILITY
            that a THREAT will
                        exploit a VULNERABILITY to cause
                                      harm to an ASSET.

This is useful since it makes you identify the assets and their value and that tells you where to put effort into. It also uncovers other matters like stakeholders, but that’s another issue.

But the important thing about this formula, like others that I depreciate, is that “risk” is a derived property that involves PROBABILITY and the ASSET.

The of quoted “impact” model hides details of what is the “impact” but under that is still something happening to an asset.

The “what” about all this has a cause. That is the threat.

Reading this document its clear that matters such as floods, pandemic diseases; “major industrial accidents” of various classes; “malicious attacks” for example on “crowded spaces”, “critical infrastructures” and “transport technology”; all are identifying THREATS.

Not RISK. THREAT.

The document is still worth a read.
It mentions BS25999, a DR/BC standard, and that section as well as “Considerations for individuals, families and communities” is more useful and relevant, but it still about threats.

I mention this latter as most DR/BC plans I’ve audited fail to consider a “human element”. There are many, many DR scenarios where the key players may value their families more than their work, or because of damage to (e.g. transport) infrastructure may not be able to attend to the roles defined for them in the BC plan.

Finally, “Chapter Five: The risk assessment process” continues in the misnomer and confusion of ideas. It now introduces another fuzzy term, “likelihood”.

What’s missing in all this?

Well, obviously metrics.
Without identifying and valuing assets you can’t begin to make meaningful statements. But the fuzzy thinking continues because these “risks” are there without any consideration of the mechanisms, and hence of the vulnerabilities, so no meaningful evaluation of probability of the “impact” can be made. Its all fuzzy thinking and value terminology.

I’m sure this is good fodder for the PR machinery, showing that “something is being done”. I’m sure it looks impressive to people who don’t actually  have to deal with workings of designing and justifying the cost of protective controls, be they against flood, infrastructure failure or the more ‘root  cause”, political ignorance and depredation.

As such, government efforts like this are quite possibly a a major threat to real, meaningful Risk Management.

[1] You may disagree with this “Classical” definition, but that’s beside
the point. I use it to illustrate that Risk =/= Theat.

About the author

Leave a Reply