Stuart King over at ComputerWeekly.com is not complementary about my recent risk assessment blog post. I am happy that Stuart reads this blog and to his credit he helped welcome me to the blogosphere a few months back.
When I first read his take on my assessment post, I have to admit that I wanted to reach towards the screen with an open hand and ask him to choke himself – but then I flashed back to work and happiness. (Yes, I was a Marine, and my idea of humor is probably a lot more different then most folks).
After reading Stuart’s post a few more times, there is a significant difference between his idea of a risk assessment and mine. Simply put, I believe in performing “risk assessments”, Stuart believes in doing a “vulnerability assessment”.
The LOW HANGING FRUIT objection. Stuart implies that the approach I use is too time consuming – especially given the length of the post. What Stuart does not put in his post is that at the end of my post I address this misconception. What he also did not state was that the assessment I posted and future assessments are meant to be training tools for those not familiar with a formal risk assessment approach; especially FAIR.
Next, objection – using a simple language that the business can understand. I agree with this comment. Most of the assessment analysis that I posted is more technical given the audience that I know reads this blog. Again though, at the end of the assessment – I provided a three sentence, business / decision maker summary.
The most important objection. Stuart states in his blog entry that his what I will call “keep it simple” risk assessment approach is:
1. List the threats.
2. State the level of vulnerability.
3. List operational costs and potential revenue hits.
4. Describe controls and options.
5. Write up who needs to do what; keep track of time.
6. Slap on a high, medium or low qualitative risk label.
Stuart – you have just completed a vulnerability assessment – you are crying WOLF. You are not taking into consideration “how often your asset that has a vulnerability” is getting attacked let alone how often you experience a loss because of a successful attack. Risk assessments take this into consideration.
As for the HIGH, MEDIUM, or LOW – qualitative labels may be a good starting point. But at the end of the day, they are still representative of some loss magnitude. Stick it out there and associate a cost to the risk you are trying to explain versus doing a “wet finger in the wind”, gut feeling check.
I welcome any feedback on my blog entries and I especially enjoy defending what I believe is a solid approach to a very sought after discipline within our profession.