Monday, November 26, 2007

Risk vs Risk

I was talking to somebody and this following paradox occurred to me:

  1. Obviously, all organizations have [some] risk of being successfully attacked by "malicious hackers" (and other threat actors) and thus suffering [some] financial loss (this just reminded of it too)
  2. However, few know what is the chance and amount of said loss, so they ignore it (absorb it) and do nothing
  3. As a result, all sorts of bad things happen (insert TJX, VA, etc) so governments and other bodies create requirements: the "C"-word is born (compliance)
  4. What results is a new threat actor for the organization: an auditor or regulator. Fortunately, this one does have a specific, quantifiable loss amount (e.g. PCI DSS fine) and a more measurable chance of "a successful hit" on the organization
  5. Thus, people pay more attention to this new threat factor since they can grasp what the loss might/will be: they choose to act on the imposed requirements
  6. What results is that their security is improved by a still unknown amount and some money is wasted as well
  7. "Are there yet?" At this point, go back to item #1 and run through this again! Again! Again!

Sounds stupid? This seems to be the world we live in ...

Comment away!

UPDATE: looks like Richard has been thinking about something similar here where he talks that sometimes "achieving compliance may cost more than potential damage" [from an attack].

UPDATE2: Symantec risk report [PDF] mentioned here uses the same approach as Pete says: "To suggest that compliance has its own risk is to acknowledge auditors/regulators as a threat. [...] I am pretty sure they are serious but I suspect auditors and regulators don't see it that way."

UPDATE3: Auditor is a risk? You bet! - says Guerilla CISO here. He then asks a really, really good questions with a really, really bad answer :-) : "Do you think people care about compliance, or do they care more about not being caught out of compliance?"

Technorati tags: , ,

No comments:

Dr Anton Chuvakin