So this discussion on risk was ignited by Donn Parker's piece (called "Making the Case for Replacing Risk-Based Security") in "ISSA Journal", but now others have chimed in (and took sides!) I will blog more on this in the coming days, but for now, here is something to medidate on (a quote from Richard Bejtlich's blog): "As security professionals I agree we are trying to reduce risk, but trying to measure it is a waste of time."
So is this as dumb as it seems? One would think that when you reduce something you have to know that the above something became smaller which to me sounds like you need to measure it?
One possible explanation that one doesn't need to come up with an absolute value of risk, but the relative will suffice. But can we go further in our mind experiment of justifying the above seemingly silly line? Yes, we can! If you've just been compromised, you know what actions will improve security, even if you don't think of it in terms of reducing risk.
Thus, here is the idea to think about: does improving security always 'reduces risk'?
[NEW!] Here is another fun bit from the same:
"* Hardly anyone can assess threats.
* Few can identify vulnerabilities comprehensively.
* Some can measure asset value."
What do we have if we multiple the above "numbers"? A true scientific value of risk!!! :-)