Stuart King – Risk Assessment Rebuttal

Stuart King over at ComputerWeekly.com is not complementary about my recent risk assessment blog post. I am happy that Stuart reads this blog and to his credit he helped welcome me to the blogosphere a few months back.

When I first read his take on my assessment post, I have to admit that I wanted to reach towards the screen with an open hand and ask him to choke himself – but then I flashed back to work and happiness. (Yes, I was a Marine, and my idea of humor is probably a lot more different then most folks).

After reading Stuart’s post a few more times, there is a significant difference between his idea of a risk assessment and mine. Simply put, I believe in performing “risk assessments”, Stuart believes in doing a “vulnerability assessment”.

The LOW HANGING FRUIT objection. Stuart implies that the approach I use is too time consuming – especially given the length of the post. What Stuart does not put in his post is that at the end of my post I address this misconception. What he also did not state was that the assessment I posted and future assessments are meant to be training tools for those not familiar with a formal risk assessment approach; especially FAIR.

Next, objection – using a simple language that the business can understand. I agree with this comment. Most of the assessment analysis that I posted is more technical given the audience that I know reads this blog. Again though, at the end of the assessment – I provided a three sentence, business / decision maker summary.

The most important objection. Stuart states in his blog entry that his what I will call “keep it simple” risk assessment approach is:

1.    List the threats.
2.    State the level of vulnerability.
3.    List operational costs and potential revenue hits.
4.    Describe controls and options.
5.    Write up who needs to do what; keep track of time.
6.    Slap on a high, medium or low qualitative risk label.

Stuart – you have just completed a vulnerability assessment – you are crying WOLF. You are not taking into consideration “how often your asset that has a vulnerability” is getting attacked let alone how often you experience a loss because of a successful attack. Risk assessments take this into consideration.

As for the HIGH, MEDIUM, or LOW – qualitative labels may be a good starting point. But at the end of the day, they are still representative of some loss magnitude. Stick it out there and associate a cost to the risk you are trying to explain versus doing a “wet finger in the wind”, gut feeling check.

I welcome any feedback on my blog entries and I especially enjoy defending what I believe is a solid approach to a very sought after discipline within our profession.

Advertisements

4 Responses to Stuart King – Risk Assessment Rebuttal

  1. Stuart King says:

    It’s all fair enough points Chris – even the choking part. It’s good to hear somebody passionate about getting the riskassessments right because I think it’s a critical thing that so many get wrong or ignore completely. I suppose that the “right” way is whatever way works best in your present circumstances: fact of the matter is that even given the best set of data, we usually get broadsided by something unexpected.

  2. Nigel Mellish says:

    “I suppose that the “right” way is whatever way works best in your present circumstances: fact of the matter is that even given the best set of data, we usually get broadsided by something unexpected.”

    If we’re “usually” getting broadsided – then how can it still be “unexpected”?

    Also, if you’re now saying that Chris’ way could be “right” – then I think the right thing to do would be to update your blog post.

  3. Phil Agcaoili says:

    Boom and we have a Risk Assessment Chris. Very well put.

    On a side note, after training in martial arts most of my life, I’ve come to realize when I picked up Brazilian Jiu-Jitsu that it doesn’t leave a mark. Good call on asking him to choke himself.

  4. […] November of 2008, I posted a rebuttal regarding Stuart’s dislike for my approach to risk assessments. I am still convinced that […]

%d bloggers like this: