Home > Compliance, Data leakage, Information security, Risk management > The death of risk assessment

The death of risk assessment

November 21st, 2008 admin

We saw the movie “Blood Diamonds” last night;  the way some companies practice IT risk management reminds me of TIA – “This is Africa”.  Joseph Granneman talks about some of the problems with conventional IT risk assessment on Searchsecurity.com

Risk assessment, as currently practiced in information security, is dead. I’m not saying we need to eliminate risk management altogether as a concept, but it needs a complete overhaul to deal with risk in the 21st century. Our concept of risk as a static condition must evolve. Information security risk should be viewed as organic and perpetually changing; we cannot assume we have all of the facts necessary to assess it.

I agree that risk is dynamic – it always has been – it’s just that the current inferno in financial markets reminds all of us, rather brutally, how dynamic it can be.  And then there is the link-baiting aspect of the title…

However, it is incorrect, to suggest that there is a difference  between virtual threats and physical threats.   In any case – whether it is a digital asset, reputational asset, financial asset or physical asset – threats cause damage to assets and create risk. We need to assess risk in a common language of brick and mortar security no matter what the asset is.  Modern business is totally dependent on IT and online transaction processing – making data loss prevention, extrusion prevention, data leakage and internal security critical for the business, not just for the IT security manager.

Conventional IT risk assessment is dead because it is based on a number of erroneous assumptions:

  1. You can assess risk once a year or two, and rely on your firewall/IPS the rest of time.
    Systems, markets and people change.  Ten years ago – you didn’t have smart phones with wireless Internet connectivity, two years ago you didn’t have 64GB flash drives and last year you didn’t have a click-jacking threat. Six months ago, in June 2008 – the markets were riding high and you were fat, dumb and happy – planning an early retirement (if you were a boomer) and planning a vacation in Belize (if you were generation Y)
  2. You must outsource risk assessment to someone else – an IT secure expert, with specific knowledge of security standards such as ISO27001/2 and PCI DSS 1.2.
    True – IT security standards and specific process expertise are extremely important especially considering cultural differences between IT and IT Security staffers. The key phrase for IT professionals is predictable processes , and the key phrase for IT security professionals is unpredictable events. This is why line managers must ask themselves what threats might  result in damaging events and what business processes are vulnerable and need fixing.
  3. Risk is an independent variable that can be observed and “assessed” or calculated using a mathematical model such as extreme value theory.
    In fact, IT security and compliance risk is a dependent variable that is a function of  asset value (reputation,  IT systems business continuity, customer data, internal pricing, marketing plans and intellectual property), vulnerabilities of your assets (under 30 employees that know more about modern IT than the VP Global IT, and competitors that want to steal your customer list), threats (competitors, trusted insiders, malicious outsiders) and finally – best practice security countermeasures that mitigate the threats,  Risk needs to be calculated  in terms of  threats – not assessed and guesstimated.

Shameless plug – Download our free risk assessment software and you’ll quickly see how a practical brick and mortar approach will help you save money on IT security and reduce risk.

Categories: Compliance, Data leakage, Information security, Risk management Tags: , , , , , ,
  1. Zeev Solomonik
    November 22nd, 2008 at 00:59 | #1
    Reply | Quote

    Dear Colleagues,

    I would like to inform you that on October 2008 we released a major update of PTA (Practical Threat Analysis) Professional Edition (1.54 – build 1206). The latest version introduces a revised reporting system which enables better aggregation and sorting of threat model data and analysis results. The new mechanism allows users to define simple Tags Filter queries which filter the data shown in reports according to the tags attached to the threat’s model entities.

    Practical Threat Analysis is a calculative threat modeling methodology and a risk assessment tool that assist security consultants and analysts in assessing the risks in their systems and building an appropriate risk mitigation policy. Risk level, potential damage and countermeasures required for mitigating the threats are all presented in real financial values. PTA advises on the most cost-effective way to mitigate threats and reduce the risk to an acceptable level.

    PTA is free-of-charge for students, researchers, software developers and independent security consultants. You are invited to review the latest changes as well as to download and install the freeware software from http://www.ptatechnologies.com/latestupdate.htm.

    I’ll be happy to have your feedback and answer your questions on any issue.

    Best regards,

    Zeev Solomonik

    The PTA Team
    http://www.ptatechnologies.com
    zeev at ptatechnologies dot com

  2. iso 13485 training
    December 11th, 2008 at 02:21 | #2
    Reply | Quote

    Project Management complements the SDLC when it comes to Project Quality. It provides a method of managing these unique project efforts, which increases the odds of attaining cost, schedule and quality goals. Since not all projects warrant the same level of cost, schedule and quality goals, it is important to define, as part of the project management process what these objectives are. Is the customer constraining the time of the project, do they have a limited budget, or are they looking for a “cheap” vs. “high- …

  3. Reader
    January 28th, 2009 at 02:21 | #3
    Reply | Quote

    Great! Thank you very much!
    I always wanted to write in my site something like that. Can I take part of your post to my site?
    Of course, I will add backlink?

    Regards, Timur I. Alhimenkov

  4. admin
    January 28th, 2009 at 09:48 | #4
    Reply | Quote

    I think one of the things driving the death of systematic IT risk assessment is the inflation in vendor marketing collateral. When a reputable network analysis vendor like Lancope resorts to using PCI DSS compliance as a reason to buy their product – I know we’re not in Kansas anymore. I particular like the part in their collateral about enforcing internal firewall rules –
    a) what if a company doesn’t have internal firewalls …
    b) does Lancope software have access to the internal firewall rule table that enables it to measure and enforce firewall rules?

    Danny Lieberman

  5. admin
    April 10th, 2009 at 08:58 | #5
    Reply | Quote

    Someone who is into investing tips and forex trading secrets linked to my blog – which was a little strange to me. I was reminded of my first job out of grad school at Wilshire Associates – when my boss was talking about the investment advisers at Paine-Webber – and how they were churning stocks in order to max their commissions – he called them “baby-rapers” – getting money out of old ladies and innocents.

    Danny

  6. admin
    July 15th, 2009 at 10:17 | #6
    Reply | Quote

    @Reader
    Of course! By all means do
    Danny

  7. admin
    August 20th, 2009 at 11:44 | #7
    Reply | Quote

    Steve
    You seem to be using automated software to troll blogs for keywords. Why don’t you take a look at http://dannylieberman.info and comment on the content of one of my blogs. Your blog is pretty good and I’m sure you have something interesting to say for a small business

    Danny Lieberman

Comments are closed.