Blog Author
David Lacey's blog 
01-11-2009 14:54
The Limitations of Risk Assessment
The recent Nimrod review set out some important learning points for the Ministry of Defence, as well as the broader safety community. One could argue that some of these points apply equally to the information security community.
In fact there’s nothing new. It was the same core issue of business goals overriding safety concerns that led to the Space Shuttle Challenger disaster. One could also point to the corresponding problem of financial constraints squeezing security countermeasures, especially where there is a clear moral hazard, i.e. when the impact affects someone other than the manager calling the shots.
Today, many security professionals tell me that the answer is better risk assessment. I disagree. The practice of risk analysis is one of the root causes of our failure to match security countermeasures to the emerging threats. It depends on too many unrealistic assumptions: the ability of managers to ignore bonus targets and take objective decisions; a thorough understanding of the problem space and impact of breaches; a capability to predict the short-term future; and the hard evidence needed to convert a recommended control into a financial business case. It's no surprise to find that in practice it becomes a license to selectively ignore a range of known problems.
The risk landscape has also changed substantially since the early years of IT, when financial impacts were the sole concern and the interests of citizens were not seriously damaged by computer intrusions and media losses. Data breaches now cause real harm to customers, and it’s not easy to put a price on that. You can in fact do it if you must. Many safety calculations for example include an estimated cost for a human life. But how much is a reasonable figure for the theft of a customer’s identity?
We can learn much from the model of safety culture spelled out in the Nimrod review. As the report correctly points out, safety depends on leadership, culture and priorities. It is delivered by people, not paper, and it takes a whole community to ensure that we achieve it. Now that’s the real way to manage information security.
Permalink:
http://www.infosecurityadviser.com/view_message?id=150
Delicious
Digg
Reddit
Facebook
StumbleUponComments:
Hello,
I strongly agree that information security depends on leadership, culture and priorities. But to handle it properly, it is of the utmost importance that we create new knowledge and tools to bridge the gap between the technical complexity of IT systems, and the leadership and culture fields. The tools should be sheap to be used by all, easy to integrate in any technical environment, and well-designed to deliver a solid base of working. These are the properties of free software. I think we lack of trully innovative free software in security to manage this gap. This is just an exemple among many possible ways (http://accessroad.sourceforge.net/).