» How not to assess risk

December 20th, 2005 by Chandler Howell

I’ve really enjoyed Adam Shostack’s “Friday Star Wars Security Blogging over at Emergent Chaos. Last week’s installment contained this gem, which actually made me laugh out loud.

The overall plans of the Death Star are hard to change. That’s not to say that they should be published, but the security of the Death Star should not rely on them remaining secret. Further, when the rebels attack with stub fighters, the flaw is easily found:

OFFICER: We’ve analyzed their attack, sir, and there is a danger. Should I have your ship standing by?

TARKIN: Evacuate? In our moment of triumph? I think you overestimate their chances!

Good call, Grand Moff! Really, though, this is the same call that management makes day in and day out when technical people tell them there is a danger. Usually, the danger turns out to go unexploited. Further, our officer has provided the world’s worst risk assessment. “There is a danger.” Really? Well! Thank you for educating us. Perhaps next time, you could explain probabilities and impacts? (Oh. Wait. To coin a phrase, you have failed us for the last time.)

Of course, what Adam doesn’t point out is that the nameless OFFICER has also provided the world’s most common Risk Assessment, as well.

Not that it matters, of course, because it seems like most of the time, even when I deliver a beautifully honed Risk Assessment with assumptions documented, threats cataloged and prioritized based on impact & estimated likelihood, control recommendations linked to risks and references back to underlying policies, standards, and internal controls requirements.

Here’s how this same conversation played out in the Real World:

OFFICER ME: We’ve analyzed the proposal, and here is my analysis with recommendations for risks which can be mitigated and risks which must be accepted.

ADMIRAL VICE PRESIDENT: Accepted?

OFFICER ME: Yes. You need to state that you understand and are willing to accept the residual risks.

ADMIRAL VICE PRESIDENT: I think there is no risk.

OFFICER ME: Then you should have no problem accepting it.

(Cue Crickets chirping)

I should have saved the effort and just gone with, “We’ve analyzed the situation and there is a danger.”

- Posted in Security and Risk Management, Risk Management

You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.


« Law west of the cyber-pecos
Perception is everything »


- Leave a Reply