Unless a firm designs its information protections in the context of the way information flows through the business, and considers all media - paper, fax, unprotected laptop’s, ineffective asset disposal, even conversation - it has information risks. That, gentlemen, is the definition of an organic malady.

Howell’s definition of information risk management as the superset is right on, and its implication - that InfoSec “walls” could never be built high enough in the absolute, let alone from a cost-justified basis - points out a chilling reality about the naiveté of top executives at many companies who are happy to believe that their “IT guys have it covered”. Companies that have my identity data, and each of yours.

Frank Abagnale (”Catch Me If You Can”) is all over this issue, starting with his “The Art of the Steal” book and especially in his most recent work on identity theft.

With all due respect to Mr. Parker, he’s a little out of touch. If the CFO came up to Mr. Parker and asked him, “How much risk do I have concerning IT?” Mr. Parker’s answer would be “none”. This, IMHO is more of what you called “silver tongues” selling to C-level execs.

Not that trust management and controls management aren’t important, but our overemphasis on them has led some people to claim that there’s a complete failure - http://www.securityabsurdity.com/failure.php An over reliance on Due Dilligence and Best Practices miscommunicates the true risk of an organization to the ultimate data owners, the CEO/Stockholders/Board. For example, there are about 4,000 Credit Unions and Community Banks out there with completely useless IDS systems in place because auditors have decided that they are “best practices”. The real worth of IDS to a 1 or 0 man InfoSec shop is, of course, negligible - but because they CFO or CEO had to sign off on a $10k per year expenditure due to “Best Practices” the CxO thinks that they have mitigated some sort of risk with this expenditure.

Risk Management, done properly, changes all of that. True Risk Management (not what Mr. Parker thinks of, the monolithic, once per year, binder based approach) allows you to create real, usable metrics, prioritize resources, allows business people to make real decisions based on an agreed upon risk tolerance, and really means the CiSO can gain control of the organization, and not live in an indefinite state of response.

Risk Management also helps you stop think of possibilities (the “big one”) and focus on probabilities. Is it a perfect approach? No, but it’s better than rudderless “Best Practices”. Furthermore, I would argue that with the right framework, you can measure and make decisions on the majority of potential risks. It isn’t possible to be perfect, but it’s possible to be very, very good.

Finally, I would have to argue that risk acceptance is perfectly fine. Even though there are still thousands of warheads pointed at the US, I don’t have a bomb shelter nor am I making plans for the the dream home in New Zealand. Why? Because the probability isn’t there. We all do risk management to some extent in our daily routine - whether you realize it or not. Even Mr. Parker. Otherwise, you wouldn’t implement any controls until after it’s been proven to you that a risk exists (i.e. an incident). The challenge is to develop the right framework that drives the proper amount of objectivity into the equation.

I would strongly suggest you check out “Fooled by Randomness” by Nassim Taleb.

Information Security is not all about “[locking up information] to keep it safe, whether or not that’s the best thing to do with it”. In order for data to become information, it needs to have a value to either you, or a third party. Certain information only has value if it is widely known. For example, your company has a new ‘killer app’ that everyone wants. Your friendly InfoSec practitioner will help you devise communication of that data to assure its availability, retain its integrity and make sure that it’s not confidential. :-) Only if it is communicated does that data become information, I.e. have value.

I like your definition of Information Risk Management, but I have to say that it sounds awfuly lot like part of Information Security. In order to secure information, you need to know what you’re protecting it against. Sometimes you also need to know why you’re protecting it. And for how long. And this is where risk analysis comes in.

Information Risk Management, to me, makes sense.

Security Risk Management? Now that is something I still have trouble with, simply because you can ignore risks. You are allowed; you know them, you decide to ignore them (I.e. accept them), done. Is that a good security stance? No. Also, in order to have a successful security risk analysis, you need to analyse and evaluate all the potential risks, lest you “miss a big one, the one that will hit you square between the eyes, tomorrow morning, just before breakfast”. And that just isn’t possible. As Donald Rumsfeld so eloquently put, there are “unknown unknowns, the ones we don’t know we don’t know”. And those are the bad ones. How do you include those in your risk analysis? Using what metrics exactly?

Donn Parker has a good idea, he’s been saying it for the past few decades: do you due dilligence. That does not mean that you won’t do risk analysis. Of course you will, skipping it isn’t something a dilligent man does. :-)

I really, really like your reasoning, I too see IRM as a more process oriented approach. I think the biggest problem with most IRM today is that a company performs is what I call a “monolithic” approach. We perform a huge risk assessment undertaking once a year and the binder sits there on the shelf. Risk Management, on the other hand, is a much more organic approach, and true risk management must steer the “information security” group. There are daily tasks, from SC&A processes to incident response that demand risk analysis - not just a reactionary, controls/checklist based approach.

Contrast this with Donn Parker’s article in the latest issue of the ISSA journal. It’s really sad to see those sorts of articles being written in today’s business environment.

To me, though, Security is a subset of IRM.