Ms. Shrdlu over at Layer8 welcomed me to the “Risk-0-Drome” and then did not hesitate to take my previous post to task (or “takes issue with” in her terms) with my claim that of ‘A loss form needs to take form in the form of money’. I think there are three points to respond to:
1. Quantifying loss forms in terms of money
2. Quantifying the hard loss forms – reasonably
3. Hayes’ Information Security Risk Management “CMM” Levels (Qualitative vs. Quantitative)
Here are my responses (some of them are posts all in themselves):
POINT 1: Yes! I do think that risk does eventually reduce down to a monetary value. At the end of the risk decision (assuming one occurs), either the risk is mitigated (to an accepted level – thus reduced), ignored, or transferred . The only unit of measure that exists to measure this amount is effort and product cost – effort of which which can usually be reduced further to a monetary value. Determining effort in the context of monetary values is an art and science all in itself, but is not unachievable.
Now, is every security or “risk professional” in a good position to quantify risk? No! Should they be? In a lot of cases, it may NOT be necessary. However, there is an opportunity cost to mitigate, to assess, to respond, to even think about the impact this could have to an organization.
What is reasonable? Reasonable is relative. Reasonable to you and me may literally be a scoff or afterthought to someone else in the organization. To be honest, if at the end of the assessment if a decision maker decides to assume the risk (not going to mitigate it) AND all my ducks are in a row (meaning, I did not miss a significant information element that could impact my assessment or a mitigation recommendation); then, assuming I have adequate documentation – I am OK with that individual assuming the risk. Please do not take it as a CYA approach to risk management – it is not. It is merely an acceptance that some decision makers are willing to assume (and / or transfer) risk – vs. mitigate it.
POINT 2: Shrdlu also questions whether reputation loss can be measured in terms of money. I think you can. Your company pays for advertising – essentially impressions on consumers. If your company suffers a breach and makes the headlines you (or your marketing folks) can probably quantify the number of media outlets that reported it, their daily readership, and the cost your company would have spent to advertise to the same outlets for the right reasons. The real struggle – is being able to quantify lost business as a result of the negative coverage – but even this could be attempted via sampling.
This type of assessment is pretty in-depth, time intensive and probably not warranted for most risk issues. But, even if you cannot quantify some of these hard-to-quantify loss forms, we can still use them to our advantage. I think they fit nicely into the concept of “contributing factors” – factors that facto into the severity of impact or frequency of loss. The “contributing factors” concept is not explicitly outlined in FAIR, but I think it is implied when justifying various FAIR taxonomy element values and can effectively compliment those loss forms we can quantify like productivity loss, replacement, legal, etc.
POINT 3: Not all information risk management groups are able to leverage risk quantification; their risk management efforts may be immature (for lack of a better term) or their management does not require a higher level of sophistication. That is fine. Precision vs. accuracy (reasonable) are different beasts that cost different amounts of money. While most risk professionals (not necessarily info sec folks) would like to give you 95%, 90% or 80% confidence in their estimates; such a high-level confidence level may not be necessary to make a well-informed decision.
So, maybe this comes down to an Information Security Risk CMM concept – through the eyes of Hayes:
Level 0: Risk, schmisk – who cares?
Level 1: We know what risk is – our business partners may not understand how it impacts them. It’s a great four letter word that we can use in conversation, and somewhere in our organization it is talked about outside infosec; sometimes even documented. In the probable vs. possible quandary, risk is usually articulated in possible.
Level 2: Risk is talked about outside information security. We know we need to manage information security risk. We try to document whenever possible (or feasible) and manage appropriately. We understand our business as a whole and are able to properly contextualize risk issues in our environment.
Level 3: We have a defined risk management process. There is a moderate level of information security / risk management governance. It looks good on paper, but is highly dependent on adequate time and resources to begin even thinking about it being half-way effective. We use terms like LOW, MEDIUM, or HIGH or maybe “NOTHING TO WORRY ABOUT”, “SOMETHING SHOULD PROBABLY BE DONE”, or “OMG, PUT ON YOUR ‘OH FACE’ and RAISE RED FLAGS”. We try to identify risk issues before it has an opportunity to enter a production environment.
Level 4: We actually try to manage risk. We document, provide mitigation consulting, perform follow-up, and have strong information security / risk management governance. We have inserted ourselves into the SDLC or PLC and critical IT / Business process to ensure some form of coverage. Qualitative labels are OK, but provide little insight to the organization’s information security risk exposure at a cumulative or aggregate level. In a tight economy – budget justification will come down to “needs” vs. “wants” and cost / benefits decisions – qualitative labels do not provide much value. We reach out to other risk groups in the company to leverage their data / information as well as their governance if applicable.
Level 5 – All of number four, plus – integrated risk management across risk disciplines and granular enterprise reporting – this can only be achieved via quantifying risk.
I realize that not all organizations need to manage their risk to the degree of a level 5. But I would argue that when we articulate risk to decision makers, we need to do so effectively. It should not require slides and should not take numerous meetings but some risk issues will. Regardless, it should be straightforward and to the point. I have actually practiced the equivalent of an elevator pitch to prepare for meetings where the purpose was to review risk assessments. For some decisions makers it may be the only time we get to make a positive impression on her or him – so I would prefer to make it count.
Thanks for stirring up the pot Shrdlu – but it’s not a mudfight yet…
Updated 8/5/2008 – Changed Mr. Shrdlu to Ms. Shrdlu.