Comments on: Security isn’t risk management? Say it isn’t so!

by: Chandler Howell

Thu, 17 Jan 2008 20:16:06 +0000

Alex,

That’s exactly what I’m working on doing. Of course, that requires a certain level of intellectual ability and honesty that I find more of in some corners of the organization than others.

Unfortunately, while I may be using all of the analytical and Risk Management tools in my box to measure and explain risk, there are certain corners of the world that truly don’t give a damn about any of the issues I’m raising and only respond to my turning their project yellow.

I think you know that just because I am sometimes forced to use blunt objects to make people do the Right Thing, that doesn’t mean that the methodology by which I decided to wield that object was just as blunt.

When it comes to managing risk, I’d like buy-in, but will settle for compliance if that’s all I can get.

by: Beautiful Probability | RiskAnalys.is

Wed, 16 Jan 2008 21:47:19 +0000

[…] Love it, because it is useful to you now. Re-read the above. Note that this is what we should be doing - not working with faulty laws/models like risk=controlsXvulnerability/impact, or threatening to turn some project “yellow” because we are the subject matter expert (which is essentially saying that we are above the law set out in a Bayesian network for risk). Think laws, not tools. Needing to calculate approximations to a law doesn’t change the law. Planes are still atoms, they aren’t governed by special exceptions in Nature for aerodynamic calculations. The approximation exists in the map, not in the territory. You can know the second law of thermodynamics, and yet apply yourself as an engineer to build an imperfect car engine. The second law does not cease to be applicable; your knowledge of that law, and of Carnot cycles, helps you get as close to the ideal efficiency as you can. […]

by: alex

Fri, 11 Jan 2008 15:32:41 +0000

“As a result, I spend a lot more time trying to explain to people why we’re all sitting on the phone or in a room together, especially given that their default viewpoints are
1) The incident in question Never Will Happen
2) I’m probably about to turn their project status Yellow and thus must be opposed with all their mortal vigor”

Hi Chandler!

I’m glad you’re blogging more frequently.

If I may make a suggestion about the above - Doing one thing will solve both those problems.

Express risk as a derived value (like speed - km/hr). If you use incidents per annum/cost per incident using probability theory, you’ll help yourself because you are telling them how probable the incident is. Do it in a consistent, defensible way and they will be hard pressed to rationally argue with your conclusions.

Second, by ditching the red/yellow/green and giving them actual metrics you’ll remove the perception of arbitrary risk rating. Preferably they should sign off on their own risk, but at least you’re saying “hey, there’s a good probability that sometime in the next 5 years you’re going to have to pony up $2,000,000 for an incident because you won’t spend $800,000 on a test environment” instead of “I warned you, but you wouldn’t listen so now you’re yellow. In fact, you’re borderline orange, and you don’t want to get close to red, believe me.”