Comments on: Is The InfoSec Risk Assessor Alone?

By: Recent Links Tagged With "infosec" - JabberTags

Recent Links Tagged With "infosec" - JabberTags — Wed, 29 Oct 2008 17:35:18 +0000

[...] public links >> infosec Is The InfoSec Risk Assessor Alone? Saved by mozu on Tue 28-10-2008 Mager Twitter Tour Saved by MuggleSam on Fri 24-10-2008 Fast, [...]

By: Scientificleader

Scientificleader — Tue, 23 Sep 2008 03:56:57 +0000

@Chris Hayes.
Yes, Chris, I generally agree that one does not undertake stochastic (Real Options) models on ones’ own. But the Enterprise Risk Management Movement appears to me to be an Audit professional attempt at quantifying, among other things, operational risk. Assessment of leadership risks (e.g. unethical leaders who cook the books; decision making acumen) can be measured and included in these as well; but these risk detection and mitigation methods are inherently interdisciplinary; information security professionals would do well to collaborate with finance and industrial psychology experts in this effort. Even if it is impractical to quantify the actual probability of risk or failure (e.g. Value at Risk or VaR), it seems incredibly pragmatic and consistent with the various Enterprise Risk Management frameworks to assess leadership, culture and other operational risks, such as the skill in avoiding the John Drapers AKA Captain Crunches of the world. Thanks for the fast reply

By: Chris Hayes

Chris Hayes — Tue, 23 Sep 2008 00:58:24 +0000

@Scientificleader – To be honest I never knew who Nick Leeson was until you posted; nothing Wikipedia cannot help with (http://en.wikipedia.org/wiki/Nick_Leeson). It is funny you mention this because the shortcomings (failures) in the financial industry are making some information security folks skeptical of information security risk quantification (http://securosis.com/2008/09/17/the-fallacy-of-complete-and-accurate-risk-quantification/). As far as stochastic financial models and their applicability with making good decisions under risk and uncertainty – I have seen such models created for information security risk scenarios – but I have to admit – it was very complex and not practical for the scenarios they were created for – probably not practical for the derived risk value compared to the effort it took to create the model. Also, it seems to be unpractical for information security risk assessors to be able to create such risk models. Thanks for leaving a comment!

By: scientificleader

scientificleader — Mon, 22 Sep 2008 21:11:36 +0000

Good thoughts. I’m surprised that the ERM framework doesn’t do more around the practical issues of leaders making good decisions under risk and uncertainty (e.g. stochastic financial models that include good human measurement). I’m excited about helping folks do a better job with these sorts of risks – remember Nick Leeson of Barings Bank infamy?

By: Chris Hayes

Chris Hayes — Tue, 12 Aug 2008 00:51:21 +0000

Thanks for the comments Chris and Christian! I look forward to posting more and am glad that some of these posts are being read and pondered! Stay tuned!

By: Christian

Christian — Mon, 11 Aug 2008 02:13:34 +0000

Really enjoyed this post. I liked the pragmatic approach you’ve used to describe these first steps for organising risk assessment capabilities. Even though I work within a dedicated risk team, I still found value in your comments.

I especially like point 2 and can’t wait for you to elaborate on that issue. I’ve seen too many times that a lot of work gets done at the front of a risk assessment, but then effort tapers off to nothing. I think there’s a lot of merit in assisting with the process end to end, not only helping with identifying mitigants, but perhaps assisting in assuring that those mitigants have been effective as well.

Great post!

Re,

By: Chris

Chris — Mon, 11 Aug 2008 01:41:28 +0000

Good post. You aren’t alone, I can attest to your tactics here. Approach is everything through (“I’m here to help, here’s how”).

I started a new job and tried to preach a risk management doctrine which got nowhere until an incident occurred. Which was tied to something that I had identified as a risk two months earlier. I quickly became the guy that was listened to. I was “lucky” to have the incident that caused their awakening.

The results are good for me so far.