Finally, I got my hands on the famous “Risks of Risk-Based Security” by Donn Parker, published in “Comm. of ACM” March 2007/Vol. 50, No. 3 (thanks for obtaining the paper for me, Mike!)
Juicy quotes follow:
“Management deals with risks every day, and risk reduction justification makes it too easy to accept security vulnerabilities in exchange for other benefits.” [A.C. – it is interesting that Donn doesn’t just say that ‘risk is not a good approach,’ he blames “risk thinking” for a whole lot of today’s security problems!]
“It is relatively easy to justify increased security to stop or control ongoing significant loss incidents such as virus attacks—because they are certainties, rather than intangible security risks.” [A.C. – now communicating to management that these are indeed certainties remains a problem, of course]
“Information security departments have attempted to justify expending security resources to address these rare problems [A.C. – such as whatever ‘advanced’ attacks and not the certainties mentioned above] by managing and reducing security risks. To manage, they must control; to control, they try to measure the benefits of information security “scientifically” based on risk reduction. However, security risk reduction is generally not measurable.” [A.C. – thus reducing the reduction to guessing]
Key quote: “Security risk is different than measurable business risk that consists of voluntarily investing resources to produce a profit or meet a goal. Security risk is not measurable, because the frequencies and impacts of future incidents are mutually dependent variables with unknown mutual dependency under control of unknown and often irrational enemies with unknown skills, knowledge, resources, authority, motives, and objectives—operating from unknown locations at unknown future times with the possible intent of attacking known but untreated vulnerabilities and vulnerabilities that are known to the attackers but unknown to the defenders.”
“… risks are related in unknown complex ways so that reducing one risk may increase or decrease other risks. […] You never know what amount of liability, litigation, or secondary effects may ensue after even a minor incident.” [A.C. – risk ‘butterfly effect,’ anybody? :-)]
“There are too many interrelated unknown and known variables, with unknown values. They all change in unknown ways over time, depending on unknown future circumstances.” [A.C. – admittedly, weather prediction has a lot of unknowns too, but this seems much messier than that…]
“humans are notoriously bad at qualitative risk assessment.” [A.C. – the above means you can’t count; this adds that you can’t guess either :-)]
So, what does this teach us? More work on this is definitely needed - I am not just whining aka “bringing up the issue.” :-) Also, I now have a dream of a mythical document called “Practical Guide to Risk-less Security”…
Possibly related posts:
Obligatory “added everywhere” posts :-)
- I am not at Qualys anymore and looking for the next big security idea to work on! Meanwhile, I might be available for fun consulting projects related to PCI, log management or other fun security things.