Comments on: What Is Risk? – Follow-Up 1

By: Interesting Information Security Bits for August 4th, 2008 « Infosec Ramblings

Mon, 04 Aug 2008 20:30:53 +0000

[...] is easy to use MSN IP Search to find domains on the same IP address as the web page you are reading.Chris Hayes continues his discussion of risk in response to Shrdlu’s comments on a previous post. Good [...]

By: Chris Hayes

Chris Hayes — Mon, 04 Aug 2008 12:56:30 +0000

@Shrdlu – Thanks for the comments!

Re: Point 2: public sector reputation damage – or clients to lose – there is something to lose and that is public trust. Again, it is probably cost prohibitive to sample various constituents and then determine if incident A directly resulted in loss of trust (opinion, unwillingness to vote, etc.). One could even argue that the cost to determine the risk and impact is a starting point for the risk (loss form) we are trying to quantify. So, per my post, I think it is a contributing factor to bundle with another loss form.

Re: your comments and question for Point 1: I agree with you that a monetary unit of measure may not be the most appropriate throughout the entire risk assessment. But at some point the risk does need to reduce down to a loss event frequency and expected loss in terms of money.

If you spend $20 and I spend $0.50 + a bus ticket to mitigate or reduce the same risk down to the same level…that would result in a meaningful discussion about the choice of controls (prevent, detect, respond) we each invested in, the ratio of cost to mitigate and the beginning risk, and the ratio of cost to mitigate and the residual risk.

Enjoy your time at BH.

By: shrdlu

shrdlu — Mon, 04 Aug 2008 11:21:31 +0000

Chris, many thanks for your thoughtful answers. One quick question: can you reframe your Point 2 as it applies to the public sector, which by and large does not do advertising and has no “clients” to lose?

As to your Point 1, I do agree with your “reasonableness” argument, but I think you’re conflating the effort/money used to mitigate the risk with the risk itself (because you have definable units, called dollars, to use for the first case). Just because it’s the only unit available doesn’t mean it’s necessarily the right one — again, if for no other reason than you can spend varying amounts of money skinning that risk cat different ways, so no matter what the impact and probability are, the amount of money you’ll spend or transfer will be different based on what you care about, can afford, and decide to use. Let’s say I spend a whopping $20 to mitigate the same risk that my peer manages to mitigate with 50 cents and a bus token. Was his risk measured to be lower than mine? Or was I just stupid?

Never mind, don’t answer that last question. I’m still working on my caffeine levels.