Risk Ostrich

Risk Ostrish

Risk Ostrich

The recent “midwest wind storm” combined with some crazy work activities has hindered my ability to get in some blog postings. I took a few minutes this morning to quickly peruse some blogs and stumbled across this posting over at securosis.

I think it is pretty irresponsible for someone to poo-poo an emerging discipline in our profession by comparing it to financial risk management. The motive of being able to quantify information security risk is to allow for better decision making and understanding the cost of risk to an organization- not to make a profit. More on this in a future posting.

We all know that ostriches appear to bury their heads in the sand. However, apparently it is a myth that they do it because they are scared. They bury their eggs in the dirt or in a hole and once in a while, they stick their head in there to check up on the eggs or do whatever to them.

So, to the blog post author, while you have you head under the dirt checking up on your investment eggs, take another look at those risk quantification eggs.


2 Responses to Risk Ostrich

  1. rmogull says:

    Pretty pictures, but you completely failed to respond to any of the points in my argument.

    Financial risk management is inarguably more mature than security risk management. It is a mature discipline, not an emerging one. In fact, I have yet to see a SINGLE accurate quantified security risk management model that accounts for the points I raised.

    My argument is that just because you quantify something doesn’t mean that it’s precise, accurate, or will lead to better risk decisions. While we need metrics, we have to get away from this game of thinking that if we can just put some number in place it will solve our problems. A guess times a guess is just a wild assed guess.

    If you can respond to that in a cogent way, I’ll take you seriously.

  2. Chris Hayes says:

    @Rich – Luckily, I leverage a risk methodology that breaks risk into elements that I can numerically represent based off my experience, the data I have available, and with input from other subject matter experts. In addition, the same methodology accounts for my confidence (or lack there of) in what you refer to as “made up numbers”. There will always be an element of uncertainty with risk. 2006 and 2007 were expected to be some of the worst years on record for hurricanes in the US – and there were no major hurricanes – do we write that off to “made up numbers” as well.

    If the business wants numbers, then we should strive to meet their needs and show value – not bury our head and admit defeat. How I articulate a risk scenario is probably more important then the risk being represented because that decision maker knows there is an element of uncertainty and yet a level of reasonableness behind it. And guess what? The decision maker can agree or not agree with my findings. I have had some state the risk is not enough but very few that though the risk was more then what was being articulated.

    I understand your frustration and skepticism, but please understand that information security risk quantification is occurring, it is wanted by businesses, it can facilitate cost benefit analysis in terms of risk vs. cost to mitigate, it is not wild guessing or “made up” numbers, and it can result in better decision making. Finally, I do not work for an information security / risk management vendor – I work for a company that understands risk (financial services industry) and embraces these concepts for treating operational risk exposures (information security risks) like product risk.

    What the world would be like if we used qualitative labels for everything that costs money:

    Loaf of bread A: LOW RISK, cost unknown until you get to the register
    Loaf of bread B: HIGH RISK, cost unknown until you get to the register
    Loaf of bread C: MEDIUM RISK, cost unknown until you get to the register


%d bloggers like this: