The death of risk assessment

November 21, 2008

We saw the movie “Blood Diamonds” last night;  the way some companies practice IT risk management reminds me of TIA – “This is Africa”.  Joseph Granneman talks about some of the problems with conventional IT risk assessment on

Risk assessment, as currently practiced in information security, is dead. I’m not saying we need to eliminate risk management altogether as a concept, but it needs a complete overhaul to deal with risk in the 21st century. Our concept of risk as a static condition must evolve. Information security risk should be viewed as organic and perpetually changing; we cannot assume we have all of the facts necessary to assess it.

I agree that risk is dynamic – it always has been – it’s just that the current inferno in financial markets reminds all of us, rather brutally, how dynamic it can be.  And then there is the link-baiting aspect of the title…
However, it is incorrect, to suggest that there is a difference  between virtual threats and physical threats.   In any case – whether it is a digital asset, reputational asset, financial asset or physical asset – threats cause damage to assets and create risk. We need to assess risk in a common language of brick and mortar security no matter what the asset is.  Modern business is totally dependent on IT and online transaction processing – making data loss prevention, extrusion prevention, data leakage and internal security critical for the business, not just for the IT security manager.
Conventional IT risk assessment is dead because it is based on a number of erroneous assumptions:

  1. You can assess risk once a year or two, and rely on your firewall/IPS the rest of time.
    Systems, markets and people change.  Ten years ago – you didn’t have smart phones with wireless Internet connectivity, two years ago you didn’t have 64GB flash drives and last year you didn’t have a click-jacking threat. Six months ago, in June 2008 – the markets were riding high and you were fat, dumb and happy – planning an early retirement (if you were a boomer) and planning a vacation in Belize (if you were generation Y)
  2. You must outsource risk assessment to someone else – an IT secure expert, with specific knowledge of security standards such as ISO27001/2 and PCI DSS 1.2.
    True – IT security standards and specific process expertise are extremely important especially considering cultural differences between IT and IT Security staffers. The key phrase for IT professionals is predictable processes , and the key phrase for IT security professionals is unpredictable events. This is why line managers must ask themselves what threats might  result in damaging events and what business processes are vulnerable and need fixing.
  3. Risk is an independent variable that can be observed and “assessed” or calculated using a mathematical model such as extreme value theory.
    In fact, IT security and compliance risk is a dependent variable that is a function of  asset value (reputation,  IT systems business continuity, customer data, internal pricing, marketing plans and intellectual property), vulnerabilities of your assets (under 30 employees that know more about modern IT than the VP Global IT, and competitors that want to steal your customer list), threats (competitors, trusted insiders, malicious outsiders) and finally – best practice security countermeasures that mitigate the threats,  Risk needs to be calculated  in terms of  threats – not assessed and guesstimated.

Shameless plug – Download our free risk assessment software and you’ll quickly see how a practical brick and mortar approach will help you save money on IT security and reduce risk.

More Articles