Since working for my current employer, I have had the opportunity to interview almost everyone that has joined the team I work on. After a few general ice breaker questions, there are two questions I will always ask (regardless of experience):
- What is information security?
- What is risk?
It’s amazing the range of answers you will receive – especially on question 2. Interestingly, some of the most accurate answers I have received for #2, were from individuals just breaking into security or relatively inexperienced. Now in all fairness, before I was in the role I am in today, I too probably would not have been able to give a succinct answer to #2. But the bigger point here is that risk means different things to different people and having a common vernacular is in order – keep reading. Don’t believe me – go ask your co-workers or better yet your superiors or business partners what risk is.
I typically define risk in two ways:
- (Short version) – Exposure to loss.
- (Long version) – The probability of a threat overcoming security controls resistance to exploit a vulnerability that results in a loss.
All of these underlined words are components of risk. But the one word I want to focus on very briefly is loss. For pretty much every loss form, it all comes down to money. The cost of the asset, the value of information on the asset, lost productivity, legal / litigation costs, reputation – you get the drift. A loss form needs to be quantifiable in the form of money if you want to justify the cost to mitigate it. In absence of being able to quantify loss – all you are left with is how often you expect to lose an asset (or capability) or worse, only letting folks know there is a vulnerable condition.
Another aspect of risk that I think is worth mentioning is the difference between “inherent risk” and “residual risk”. Inherent risk is exposure to loss in absence of controls. This is often where I find security analysts err in making premature risk statements or risk “proclamations” in absence of a risk assessment methodology; the tendency to gauge risk before factoring in security controls. Residual risk is exposure to loss once security controls are factored into the assessment. This is the risk value we should be communicating to the appropriate decision makers.
Is inherent risk absolutely worthless? No – I do not believe it is. I have ideas about how inherent risk could be used as a measurement of the effectiveness of existing security controls – but that is a different topic for another day.
In summary, the intent of this post is to give my high level thoughts on what risk is. There are circles within our industry that love to theorize and debate the finer points of risk – which has its place – but I would like to think that most of them will agree that risk is the probability of loss times a consequence – usually in terms of money. If you have further interest in the vernacular and definitions of components that I think best make up risk take a look at RMI’s FAIR white paper under the “Risk Analysis Resources” section. Better yet, consider participating in the Open Group Security Forum and their project to develop a risk taxonomy standard – which is based on the FAIR methodology.
The topic for the next post will be around other entities within organizations that perform risk assessments.