This is from last month, but I’m slow some days. Anton Chuvakin is shocked! Shocked, I say! that an as-yet unpublished survey says most people view IT Security as separate from IT Risk:

How can security be THAT disconnected from risk? Can somebody explain this to me? (Please don’t explain by stating “crappy survey methodology” - I can pull this one myself, thank you very much :-))

What I find most interesting about this is that he found it newsworthy, especially given his overall strong level of understanding of what people really do with regards to security (e.g. his accurate 2007 predictions, which I agree with myself). Rant-worthy? Maybe if I need to vent, but other than that, not so much.

Of course, this is a topic that I’ve written any number of posts about in the past, so I’ll let this be a bit of a retrospective, then I can get back to digging for the quote from Anton’s blog that I need for the presentation I’m putting together.

First, I’ll provide my definitions of IT Security versus Risk Management:

Information Security is the practice of designing and implementing countermeasures and other preventative (usually technical) controls on information. Security experts tend to understand the nuances of their tools, but all-too-often fall prey to the adage that, “When your only tool is a hammer, ever problem begins to look a lot like a nail.”

Information Risk Management (IRM) is the practice of determining which Information Assets need protection and what level of protection is required, then determining appropriate methods of achieving that level of protection by understanding the applicable vulnerabilities, threats and countermeasures.

Moving this dichotomy into the real world, let’s re-visit what happens when we try to explain a potential risk to people. First, I think of Niels Bohr, who famously pointed out (albeit in a different context), that “Prediction is hard, especially about the future.”

Picking freqency or likelihood of occurance doesn’t do us much good since, unfortunately, there are only two levels of likelihood in most people’s mind when dealing with risk:

Definitely will happen (probability 1) — i.e. worms or viruses. In the eyes of The Business, things only move into this category after technology solutions exist, which I should be busy providing instead of wasting their time with meetings and trying to turn their project’s status to Yellow.

Never will happen (probability 0) — i.e. Systems intrusions by skilled attackers resulting a massive loss-of-data or a hurricane destroying New Orleans. (Note: this eventually gets turned into, “Definitely will happen,” but only after it’s too late to do anything about it. For further reading, see Code Red, SQL Slammer, or anything in Adam Shostack’s privacy breach category.)

…

As a result, I spend a lot more time trying to explain to people why we’re all sitting on the phone or in a room together, especially given that their default viewpoints are
1) The incident in question Never Will Happen
2) I’m probably about to turn their project status Yellow and thus must be opposed with all their mortal vigor

This is a problem I’ve been fighting this fight here in my new role as I try to help people understand risk and the idea of managing to a desired level of risk. Risk and Loss Tolerance are, I’m realizing, much more difficult concepts that I’d apparently given them credit. The idea that “more secure” is not inherently better is apparently too counter-intuitive for some people to understand, and the idea that I would even imply such a thing means that I’m not a Real Security Guy. I’ve pretty much worn out Schneier’s bullet-proof vest example from Beyond Fear, to questionable-at-best effect.

So unfortunately, Anton, I’d argue that, if anything, the survey was probably spot-on, other than that the first response (ISM is part of a risk management strategy) is probably inflated.

“As a result, I spend a lot more time trying to explain to people why we’re all sitting on the phone or in a room together, especially given that their default viewpoints are
1) The incident in question Never Will Happen
2) I’m probably about to turn their project status Yellow and thus must be opposed with all their mortal vigor”

Hi Chandler!

I’m glad you’re blogging more frequently.

If I may make a suggestion about the above - Doing one thing will solve both those problems.

Express risk as a derived value (like speed - km/hr). If you use incidents per annum/cost per incident using probability theory, you’ll help yourself because you are telling them how probable the incident is. Do it in a consistent, defensible way and they will be hard pressed to rationally argue with your conclusions.

Second, by ditching the red/yellow/green and giving them actual metrics you’ll remove the perception of arbitrary risk rating. Preferably they should sign off on their own risk, but at least you’re saying “hey, there’s a good probability that sometime in the next 5 years you’re going to have to pony up $2,000,000 for an incident because you won’t spend $800,000 on a test environment” instead of “I warned you, but you wouldn’t listen so now you’re yellow. In fact, you’re borderline orange, and you don’t want to get close to red, believe me.”

[…] Love it, because it is useful to you now.  Re-read the above. Note that this is what we should be doing - not working with faulty laws/models like risk=controlsXvulnerability/impact, or threatening to turn some project “yellow” because we are the subject matter expert (which is essentially saying that we are above the law set out in a Bayesian network for risk). Think laws, not tools.  Needing to calculate approximations to a law doesn’t change the law.  Planes are still atoms, they aren’t governed by special exceptions in Nature for aerodynamic calculations.  The approximation exists in the map, not in the territory.  You can know the second law of thermodynamics, and yet apply yourself as an engineer to build an imperfect car engine.  The second law does not cease to be applicable; your knowledge of that law, and of Carnot cycles, helps you get as close to the ideal efficiency as you can. […]

Alex,

That’s exactly what I’m working on doing. Of course, that requires a certain level of intellectual ability and honesty that I find more of in some corners of the organization than others.

Unfortunately, while I may be using all of the analytical and Risk Management tools in my box to measure and explain risk, there are certain corners of the world that truly don’t give a damn about any of the issues I’m raising and only respond to my turning their project yellow.

I think you know that just because I am sometimes forced to use blunt objects to make people do the Right Thing, that doesn’t mean that the methodology by which I decided to wield that object was just as blunt.

When it comes to managing risk, I’d like buy-in, but will settle for compliance if that’s all I can get.