Comments on: Risk Ostrich http://risktical.com/2008/09/19/risk-ostrich/ Assessing, Articulating & Quantifying Information Security Risk Mon, 31 Oct 2011 20:19:19 +0000 hourly 1 http://wordpress.com/ By: Chris Hayes http://risktical.com/2008/09/19/risk-ostrich/#comment-72 Fri, 19 Sep 2008 16:39:44 +0000 http://risktical.wordpress.com/?p=77#comment-72 @Rich – Luckily, I leverage a risk methodology that breaks risk into elements that I can numerically represent based off my experience, the data I have available, and with input from other subject matter experts. In addition, the same methodology accounts for my confidence (or lack there of) in what you refer to as “made up numbers”. There will always be an element of uncertainty with risk. 2006 and 2007 were expected to be some of the worst years on record for hurricanes in the US – and there were no major hurricanes – do we write that off to “made up numbers” as well.

If the business wants numbers, then we should strive to meet their needs and show value – not bury our head and admit defeat. How I articulate a risk scenario is probably more important then the risk being represented because that decision maker knows there is an element of uncertainty and yet a level of reasonableness behind it. And guess what? The decision maker can agree or not agree with my findings. I have had some state the risk is not enough but very few that though the risk was more then what was being articulated.

I understand your frustration and skepticism, but please understand that information security risk quantification is occurring, it is wanted by businesses, it can facilitate cost benefit analysis in terms of risk vs. cost to mitigate, it is not wild guessing or “made up” numbers, and it can result in better decision making. Finally, I do not work for an information security / risk management vendor – I work for a company that understands risk (financial services industry) and embraces these concepts for treating operational risk exposures (information security risks) like product risk.

What the world would be like if we used qualitative labels for everything that costs money:

Loaf of bread A: LOW RISK, cost unknown until you get to the register
Loaf of bread B: HIGH RISK, cost unknown until you get to the register
Loaf of bread C: MEDIUM RISK, cost unknown until you get to the register

Thoughts?

]]> By: rmogull http://risktical.com/2008/09/19/risk-ostrich/#comment-71 Fri, 19 Sep 2008 15:20:42 +0000 http://risktical.wordpress.com/?p=77#comment-71 Pretty pictures, but you completely failed to respond to any of the points in my argument.

Financial risk management is inarguably more mature than security risk management. It is a mature discipline, not an emerging one. In fact, I have yet to see a SINGLE accurate quantified security risk management model that accounts for the points I raised.

My argument is that just because you quantify something doesn’t mean that it’s precise, accurate, or will lead to better risk decisions. While we need metrics, we have to get away from this game of thinking that if we can just put some number in place it will solve our problems. A guess times a guess is just a wild assed guess.

If you can respond to that in a cogent way, I’ll take you seriously.

]]>