Alex Hutton just asked me an interesting question in comments:

Do you specifically separate Information Security and IRM? Why and how?

I know plenty of people who will argue that Security is more than what I’m outlining, but I’ve found that in practice, this generally seems to be the boundary around the thought processes of those practitioners I know who self-identify as “Information Security” as compared to Risk Managers (of which there are numerous flavors).

Short Form: Information Security locks up information to keep it safe, whether or not that’s the best thing to do with it. Information Risk Managers figure out the best way to preserve the value of the information, which may or may not include locking it up.

To me, though, Security is a subset of IRM. There are many things you can do to preserve information’s value that have nothing to do with securing it, such as Transferring or Accepting the risk.

Long Form:

Information Security is the practice of designing and implementing countermeasures and other preventative (usually technical) controls on information. Security experts tend to understand the nuances of their tools, but all-too-often fall prey to the adage that, “When your only tool is a hammer, ever problem begins to look a lot like a nail.”

Information Risk Management (IRM) is the practice of determining which Information Assets need protection and what level of protection is required, then determining appropriate methods of achieving that level of protection by understanding the applicable vulnerabilities, threats and countermeasures.

To practice IRM successfully means understanding not just the technologies that enable communication but also the business that the communication enables, the applicable regulatory environment, how information is utilized, the circumstances under which it might have value to an attacker, and how to balance those variables based on the risk appetite and cost-consciousness of the business.

Note: Before anyone breaks out their asbestos keyboards, please recall that these are my definitions. If you don’t like them, feel free to try something non-’Net-like, which is to say constructive ;-), and add a comment with your own definitions.

Finally, now that I’ve written my defnitions, here are Wikipedia’s Information Security

Information Security deals with several different “trust” aspects of information. Another common term is information assurance. Information security is not confined to computer systems, nor to information in an electronic or machine-readable form. It applies to all aspects of safeguarding or protecting information or data, in whatever form.

The U.S. National Information Systems Security Glossary defines Information systems security (INFOSEC) as:

the protection of information systems against unauthorized access to or modification of information, whether in storage, processing or transit, and against the denial of service to authorized users or the provision of service to unauthorized users, including those measures necessary to detect, document, and counter such threats.

Most definitions of information security tend to focus, sometimes exclusively, on specific usages and, or, particular media; e.g., “protect electronic data from unauthorized use”. In fact it is a common misconception, or misunderstanding, that information security is synonymous with computer security—in any of its guises: computer and network security, information technology (IT) security, information systems security, information and communications technology (ICT) security. Each of these has a different emphasis, but the common concern is the security of information in some form (electronic in these cases): hence, all are subsets of information security. Conversely, information security covers not just information but all infrastructures that facilitate its use—processes, systems, services, technology, etc., including computers, voice and data networks, etc.

and Risk Management pages

Generally, Risk Management is the process of measuring, or assessing risk and then developing strategies to manage the risk. In general, the strategies employed include transferring the risk to another party, avoiding the risk, reducing the negative effect of the risk, and accepting some or all of the consequences of a particular risk. Traditional risk management focuses on risks stemming from physical or legal causes (e.g. natural disasters or fires, accidents, death, and lawsuits). Financial risk management, on the other hand, focuses on risks that can be managed using traded financial instruments. Intangible risk management focuses on the risks associated with human capital, such as knowledge risk, relationship risk, and engagement-process risk. Regardless of the type of risk management, all large corporations have risk management teams and small groups and corporations practice informal, if not formal, risk management.

In ideal risk management, a prioritization process is followed whereby the risks with the greatest loss and the greatest probability of occurring are handled first, and risks with lower probability of occurrence and lower loss are handled later. In practice the process can be very difficult, and balancing between risks with a high probability of occurrence but lower loss vs. a risk with high loss but lower probability of occurrence can often be mishandled.

for comparison.

So do you see InfoSec as a subset of IRM?

As I said,

To me, though, Security is a subset of IRM.

LOL duh… I need to read these things after my coffee, not before.

I really, really like your reasoning, I too see IRM as a more process oriented approach. I think the biggest problem with most IRM today is that a company performs is what I call a “monolithic” approach. We perform a huge risk assessment undertaking once a year and the binder sits there on the shelf. Risk Management, on the other hand, is a much more organic approach, and true risk management must steer the “information security” group. There are daily tasks, from SC&A processes to incident response that demand risk analysis - not just a reactionary, controls/checklist based approach.

Contrast this with Donn Parker’s article in the latest issue of the ISSA journal. It’s really sad to see those sorts of articles being written in today’s business environment.

This is interesting. I have some something that adds a different twist. Would also like to discuss deperimeterisation as well. Can you contact me?

I was going to post a comment, but then I saw the section that says I should be constructive. :-) Bugger.
Whilst I like your definition of IRM, I think you’ve been hanging out too much with IT security nerds and got your view of information security skewed a bit. Luckily Wikipedia comes closer to what I see is imperative in InfoSec: trust management.

Information Security is not all about “[locking up information] to keep it safe, whether or not that’s the best thing to do with it”. In order for data to become information, it needs to have a value to either you, or a third party. Certain information only has value if it is widely known. For example, your company has a new ‘killer app’ that everyone wants. Your friendly InfoSec practitioner will help you devise communication of that data to assure its availability, retain its integrity and make sure that it’s not confidential. :-) Only if it is communicated does that data become information, I.e. have value.

I like your definition of Information Risk Management, but I have to say that it sounds awfuly lot like part of Information Security. In order to secure information, you need to know what you’re protecting it against. Sometimes you also need to know why you’re protecting it. And for how long. And this is where risk analysis comes in.

Information Risk Management, to me, makes sense.

Security Risk Management? Now that is something I still have trouble with, simply because you can ignore risks. You are allowed; you know them, you decide to ignore them (I.e. accept them), done. Is that a good security stance? No. Also, in order to have a successful security risk analysis, you need to analyse and evaluate all the potential risks, lest you “miss a big one, the one that will hit you square between the eyes, tomorrow morning, just before breakfast”. And that just isn’t possible. As Donald Rumsfeld so eloquently put, there are “unknown unknowns, the ones we don’t know we don’t know”. And those are the bad ones. How do you include those in your risk analysis? Using what metrics exactly?

Donn Parker has a good idea, he’s been saying it for the past few decades: do you due dilligence. That does not mean that you won’t do risk analysis. Of course you will, skipping it isn’t something a dilligent man does. :-)

Saso,

With all due respect to Mr. Parker, he’s a little out of touch. If the CFO came up to Mr. Parker and asked him, “How much risk do I have concerning IT?” Mr. Parker’s answer would be “none”. This, IMHO is more of what you called “silver tongues” selling to C-level execs.

Not that trust management and controls management aren’t important, but our overemphasis on them has led some people to claim that there’s a complete failure - http://www.securityabsurdity.com/failure.php An over reliance on Due Dilligence and Best Practices miscommunicates the true risk of an organization to the ultimate data owners, the CEO/Stockholders/Board. For example, there are about 4,000 Credit Unions and Community Banks out there with completely useless IDS systems in place because auditors have decided that they are “best practices”. The real worth of IDS to a 1 or 0 man InfoSec shop is, of course, negligible - but because they CFO or CEO had to sign off on a $10k per year expenditure due to “Best Practices” the CxO thinks that they have mitigated some sort of risk with this expenditure.

Risk Management, done properly, changes all of that. True Risk Management (not what Mr. Parker thinks of, the monolithic, once per year, binder based approach) allows you to create real, usable metrics, prioritize resources, allows business people to make real decisions based on an agreed upon risk tolerance, and really means the CiSO can gain control of the organization, and not live in an indefinite state of response.

Risk Management also helps you stop think of possibilities (the “big one”) and focus on probabilities. Is it a perfect approach? No, but it’s better than rudderless “Best Practices”. Furthermore, I would argue that with the right framework, you can measure and make decisions on the majority of potential risks. It isn’t possible to be perfect, but it’s possible to be very, very good.

Finally, I would have to argue that risk acceptance is perfectly fine. Even though there are still thousands of warheads pointed at the US, I don’t have a bomb shelter nor am I making plans for the the dream home in New Zealand. Why? Because the probability isn’t there. We all do risk management to some extent in our daily routine - whether you realize it or not. Even Mr. Parker. Otherwise, you wouldn’t implement any controls until after it’s been proven to you that a risk exists (i.e. an incident). The challenge is to develop the right framework that drives the proper amount of objectivity into the equation.

I would strongly suggest you check out “Fooled by Randomness” by Nassim Taleb.

The Wall Street Journal, CFO Magazine and other widely-read business publications periodically publish timelines and lists of major information breaches. The identity-specific information, which has street value and is near-cash to organized criminal groups, nearly always leaves companies’ control through a decidedly non-technology path - people. Look closely at the Boston Globe (recycled subscriber lists wrapped around newspaper bundles delivered to street curbs), Fidelity Investments (a laptop carried outside the company firewalls and intrusion-detection tools by an authorized employee), the Iron Mountain “stolen tape” accounts (multiple) and other recent headliners: in each case, the investments in technology, tools and expertise which were managed by information security programs worked as designed. Problem is, the information was made vulnerable to breach by an authorized individual or process whose inside-access took the information outside the InfoSec protections (as is the case in over 60% of information breaches, if the annual FBI study is accurate).

Unless a firm designs its information protections in the context of the way information flows through the business, and considers all media - paper, fax, unprotected laptop’s, ineffective asset disposal, even conversation - it has information risks. That, gentlemen, is the definition of an organic malady.

Howell’s definition of information risk management as the superset is right on, and its implication - that InfoSec “walls” could never be built high enough in the absolute, let alone from a cost-justified basis - points out a chilling reality about the naiveté of top executives at many companies who are happy to believe that their “IT guys have it covered”. Companies that have my identity data, and each of yours.

Frank Abagnale (”Catch Me If You Can”) is all over this issue, starting with his “The Art of the Steal” book and especially in his most recent work on identity theft.

Information Security was here before the term Information Risk Management. I still want to know what are the baselines, the metrics, and the guiding standards for Information Risk Management. IRM points to directly the security standards and baselines like ISO 27001.
If it sounds like a duck, quacks like a duck its Security. I believe IRM is a marketing scheme for non-security professional to dictate security controls through business models. Security does use risk management principles to identify threats and should we use counter measures (security) to protect this specific asset and then the security control is introduced and if the control will not be accepted by the company then the risk exception process should be initiated by security. This is the two places in the security model that risk review should be conducted.