What is Risk?

July 31, 2008

Since working for my current employer, I have had the opportunity to interview almost everyone that has joined the team I work on. After a few general ice breaker questions, there are two questions I will always ask (regardless of experience):

  1. What is information security?
  2. What is risk?

It’s amazing the range of answers you will receive – especially on question 2. Interestingly, some of the most accurate answers I have received for #2, were from individuals just breaking into security or relatively inexperienced. Now in all fairness, before I was in the role I am in today, I too probably would not have been able to give a succinct answer to #2. But the bigger point here is that risk means different things to different people and having a common vernacular is in order – keep reading. Don’t believe me – go ask your co-workers or better yet your superiors or business partners what risk is.

I typically define risk in two ways:

  1. (Short version) – Exposure to loss.

  1. (Long version) – The probability of a threat overcoming security controls resistance to exploit a vulnerability that results in a loss.

All of these underlined words are components of risk. But the one word I want to focus on very briefly is loss. For pretty much every loss form, it all comes down to money. The cost of the asset, the value of information on the asset, lost productivity, legal / litigation costs, reputation – you get the drift. A loss form needs to be quantifiable in the form of money if you want to justify the cost to mitigate it. In absence of being able to quantify loss – all you are left with is how often you expect to lose an asset (or capability) or worse, only letting folks know there is a vulnerable condition.

Another aspect of risk that I think is worth mentioning is the difference between “inherent risk” and “residual risk”. Inherent risk is exposure to loss in absence of controls. This is often where I find security analysts err in making premature risk statements or risk “proclamations” in absence of a risk assessment methodology; the tendency to gauge risk before factoring in security controls. Residual risk is exposure to loss once security controls are factored into the assessment. This is the risk value we should be communicating to the appropriate decision makers.

Is inherent risk absolutely worthless? No – I do not believe it is. I have ideas about how inherent risk could be used as a measurement of the effectiveness of existing security controls – but that is a different topic for another day.

In summary, the intent of this post is to give my high level thoughts on what risk is. There are circles within our industry that love to theorize and debate the finer points of risk – which has its place – but I would like to think that most of them will agree that risk is the probability of loss times a consequence – usually in terms of money. If you have further interest in the vernacular and definitions of components that I think best make up risk take a look at RMI’s FAIR white paper under the “Risk Analysis Resources” section. Better yet, consider participating in the Open Group Security Forum and their project to develop a risk taxonomy standard – which is based on the FAIR methodology.

The topic for the next post will be around other entities within organizations that perform risk assessments.

It’s All In a Name…Risktical

July 26, 2008

Risktical – To the best of my knowledge, this is not a documented “Bushism”. But is has some zing to it and it seemed to stick when I was doing a very impromptu mind mapping exercise.

So off we go….

Risk is often thought to be a very complex subject to comprehend – let alone have meaningful discussions about. The reality is that we all probably understand risk better then we think. We make risk based decisions everyday – but yet rarely are we put in positions to articulate the risk elements that went into a decision let alone defend our reasoning.

Performing information security risk assessments on IT projects, operational processes, or other business processes is becoming more and more common in organizations of various sizes. This is what I have been doing for the past three years. Yes, I started out as a piece of clay with half a clue about risk – but thanks to great mentors, a great risk framework to work with, some self-study, a risk management organization that takes this discipline seriously, and business leaders that embrace the information we provide them – I am more experienced with understanding risk, more hardened against not erring on the side of possibility vs. the side of probability and more convinced that at the end of the day information security professionals can enable effective decision making.

There are a few words that come to mind when I think of risk and the discipline of assessing risk – all of which influenced the name of this blog.

Mystical / Uncertainty– There are folks that scoff at the ideal of being able to classify or better yet quantify information security risk. I think it all comes down to one’s person with dealing with uncertainty as well as accepting the fact that this is a fairly new discipline within the information security profession. Are information risk assessment scoffers as skeptical about stock market analysts and their predictions?

Statistics – Uncertainty. Not Binary. Probability. Values between 1 and 0. Distribution. We should not underestimate how many people understand risk concepts – especially business executives and decision makers. Understanding basic statistical concepts as well as being familiar with more advanced statistical concepts is a must for anyone wanting to take this discipline seriously. From my perspective, leveraging a methodology that uses sound statistical concepts is going to be easier to defend, as well as make it easier for users of the methodology to be consistent in their assessment.

Economics – How and why a business allocates its money matters at all levels of the company. Any business minded person wants to ensure that where they apply their allocated money, it is going to have some positive impact on the business. Within information risk management, these funding decisions can be hard to make. But a decision maker armed with the right information can make risk based decisions that can decrease the overall risk the organization may be facing as well as prove value.

In up-coming posts, I will try to lay out a few foundational topics before analyzing some risk scenarios. Some of these scenarios may be based off current events – others may be modeled based off my “imagination”. Regardless, I look forward to sharing my thoughts and having meaningful dialogue.

Coming Soon…

July 24, 2008

A blog about assessing, articulating and quantifying information security risk. Yes, this is considered by some to be the holy grail of information risk management. Enabling decision makers with high-value information to facilitate decision making; this is what I strive towards.

I look forward to sharing thoughts and experiences I have had in this particular discipline as well as learning from others.

Stay tuned!