Stuart King over at ComputerWeekly.com is not complementary about my recent risk assessment blog post. I am happy that Stuart reads this blog and to his credit he helped welcome me to the blogosphere a few months back.
When I first read his take on my assessment post, I have to admit that I wanted to reach towards the screen with an open hand and ask him to choke himself – but then I flashed back to work and happiness. (Yes, I was a Marine, and my idea of humor is probably a lot more different then most folks).
After reading Stuart’s post a few more times, there is a significant difference between his idea of a risk assessment and mine. Simply put, I believe in performing “risk assessments”, Stuart believes in doing a “vulnerability assessment”.
The LOW HANGING FRUIT objection. Stuart implies that the approach I use is too time consuming – especially given the length of the post. What Stuart does not put in his post is that at the end of my post I address this misconception. What he also did not state was that the assessment I posted and future assessments are meant to be training tools for those not familiar with a formal risk assessment approach; especially FAIR.
Next, objection – using a simple language that the business can understand. I agree with this comment. Most of the assessment analysis that I posted is more technical given the audience that I know reads this blog. Again though, at the end of the assessment – I provided a three sentence, business / decision maker summary.
The most important objection. Stuart states in his blog entry that his what I will call “keep it simple” risk assessment approach is:
1. List the threats.
2. State the level of vulnerability.
3. List operational costs and potential revenue hits.
4. Describe controls and options.
5. Write up who needs to do what; keep track of time.
6. Slap on a high, medium or low qualitative risk label.
Stuart – you have just completed a vulnerability assessment – you are crying WOLF. You are not taking into consideration “how often your asset that has a vulnerability” is getting attacked let alone how often you experience a loss because of a successful attack. Risk assessments take this into consideration.
As for the HIGH, MEDIUM, or LOW – qualitative labels may be a good starting point. But at the end of the day, they are still representative of some loss magnitude. Stick it out there and associate a cost to the risk you are trying to explain versus doing a “wet finger in the wind”, gut feeling check.
I welcome any feedback on my blog entries and I especially enjoy defending what I believe is a solid approach to a very sought after discipline within our profession.
It’s all fair enough points Chris – even the choking part. It’s good to hear somebody passionate about getting the riskassessments right because I think it’s a critical thing that so many get wrong or ignore completely. I suppose that the “right” way is whatever way works best in your present circumstances: fact of the matter is that even given the best set of data, we usually get broadsided by something unexpected.
“I suppose that the “right” way is whatever way works best in your present circumstances: fact of the matter is that even given the best set of data, we usually get broadsided by something unexpected.”
If we’re “usually” getting broadsided – then how can it still be “unexpected”?
Also, if you’re now saying that Chris’ way could be “right” – then I think the right thing to do would be to update your blog post.
Boom and we have a Risk Assessment Chris. Very well put.
On a side note, after training in martial arts most of my life, I’ve come to realize when I picked up Brazilian Jiu-Jitsu that it doesn’t leave a mark. Good call on asking him to choke himself.
[...] November of 2008, I posted a rebuttal regarding Stuart’s dislike for my approach to risk assessments. I am still convinced that [...]