It’s All In a Name…Risktical

Risktical – To the best of my knowledge, this is not a documented “Bushism”. But is has some zing to it and it seemed to stick when I was doing a very impromptu mind mapping exercise.

So off we go….

Risk is often thought to be a very complex subject to comprehend – let alone have meaningful discussions about. The reality is that we all probably understand risk better then we think. We make risk based decisions everyday – but yet rarely are we put in positions to articulate the risk elements that went into a decision let alone defend our reasoning.

Performing information security risk assessments on IT projects, operational processes, or other business processes is becoming more and more common in organizations of various sizes. This is what I have been doing for the past three years. Yes, I started out as a piece of clay with half a clue about risk – but thanks to great mentors, a great risk framework to work with, some self-study, a risk management organization that takes this discipline seriously, and business leaders that embrace the information we provide them – I am more experienced with understanding risk, more hardened against not erring on the side of possibility vs. the side of probability and more convinced that at the end of the day information security professionals can enable effective decision making.

There are a few words that come to mind when I think of risk and the discipline of assessing risk – all of which influenced the name of this blog.

Mystical / Uncertainty– There are folks that scoff at the ideal of being able to classify or better yet quantify information security risk. I think it all comes down to one’s person with dealing with uncertainty as well as accepting the fact that this is a fairly new discipline within the information security profession. Are information risk assessment scoffers as skeptical about stock market analysts and their predictions?

Statistics – Uncertainty. Not Binary. Probability. Values between 1 and 0. Distribution. We should not underestimate how many people understand risk concepts – especially business executives and decision makers. Understanding basic statistical concepts as well as being familiar with more advanced statistical concepts is a must for anyone wanting to take this discipline seriously. From my perspective, leveraging a methodology that uses sound statistical concepts is going to be easier to defend, as well as make it easier for users of the methodology to be consistent in their assessment.

Economics – How and why a business allocates its money matters at all levels of the company. Any business minded person wants to ensure that where they apply their allocated money, it is going to have some positive impact on the business. Within information risk management, these funding decisions can be hard to make. But a decision maker armed with the right information can make risk based decisions that can decrease the overall risk the organization may be facing as well as prove value.

In up-coming posts, I will try to lay out a few foundational topics before analyzing some risk scenarios. Some of these scenarios may be based off current events – others may be modeled based off my “imagination”. Regardless, I look forward to sharing my thoughts and having meaningful dialogue.

Advertisements

5 Responses to It’s All In a Name…Risktical

  1. Alex says:

    Risktical does well, IMHO. You’ve got that odd probability theory/quantum thing going on where it exists but we cannot “know” it. It is there but you cannot touch it. And in some instances, like the universe, it does not exist unless it is observed*.

    * at least that’s a theory I read about last month somewhere.

  2. Adrius42 says:

    I sense the potential for one of my big bug-a-boos, are we teaching our business partners to fish our handing them pre-prepared (one of my favourite non words!) fish fingers? Your blog had the potential of signalling the latter?!

    There were also clues to the former, which side of the fence are you on?

    Do we wizards do the approproate assessment and hand down our wisdom so the business plebians can make their hum drum decisions or…

  3. Chris Hayes says:

    @Alex – Thanks for the deep thoughts. At some point I want to write something about “virtual risk”.

    @Adrius42 – Thank you for commenting. I am not 100% certain of what specifically you are alluding to with the whole ‘teaching business partners to fish’ or ‘handing them pre-prepared fish fingers’ analogy; business partners doing the assessments or business partners making the decisions?

    I would not expect our business partners to perform the risk assessment(s) itself. However, I do feel that they will perform a mental exercise to validate what has been put in front of them. They may use a different vernacular (upcoming post) but they do understand risk concepts. Regarding decision making, the reality is that in most organizations the information security group (or sole-member) cannot make the decision to shift resources to mitigate risk – because most of the issues reside outside their span of control. So we can make recommendations on which risk issues should be mitigated and options for mitigation – and then let the appropriate (could be either IT or business partner) decision maker do what they are paid to do – make the tough decisions.

    Let me know if this does not clear up what side of the fence you think I am on. Thanks again for commenting!

  4. adrius42 says:

    Hmm Please don’t say that thought out loud in front of my business partners.
    The term swaddling clothes springs to mind. The start of your blog was much more aligned with my thinking, we humans are Risk Engines, of is built into our genes, you only have to read the Darwin awards to realise failure to understand risk concepts is a key factor in gene pool elimination! Now I agree we don’t have a good language to share said concepts (watch out for Open Groups upcoming “FAIR” publication) This is a sticky semantic topic – they can make the risk decision, but they don’t understand risk concepts! I confident (I think) that you don’t mean they have to make the decision your assessment tells them to..

    Surely the act of taking a risk is by default a business act?

    Our goal has been to teach them the concepts to facilitate the dialogue and to allow better risk management, but when all is said and done, systemitising an entrepreurs “gut instincts” is not one of our goals!

  5. Chris Hayes says:

    @Adrius42 – Regarding my vernacular – FAIR is all I have been using for the past three years. For the majority of these posts moving forward, my vernacular will revolve around the FAIR methodology and its individual taxonomy elements. However, when I collaborate with other risk groups in an enterprise (like “enterprise risk management”, “capital risk management”, internal auditors, the legal groups, and various product risk groups) we have to be mindful of their vernacular as well. This idea is a separate post.

    Regarding the decision that the decision makers make and whether or not it has to be based off our assessment – no, of course not. But I have found that reasonable people are able to balance the information I provide them with the decision they need to make.

    I am not a fan of “gut instincts” or “risk proclamations”. While I may have initial thoughts on risk for any given scenario, I always preface it with “I would need to assess this within our framework…”. Finally, assuming risk for the most part is a decision of the person who is authorized to assume the risk. It may be the business partner or an IT partner that has been delegated that responsibility.

%d bloggers like this: