Risk management: The answer to security, or the problem?

One security experts says, ‘We need to drop the risk management banner’

One of the guiding principles of information technology security is risk management, the concept that security efforts should be prioritized so that resources can be directed at the most significant threats and residual risk can be knowingly accepted and anticipated. However, not everyone shares that view.

“I think the biggest threat out there now is the concept of risk management,” said Brian Chess, chief science officer and co-founder of IT security company Fortify. “Most people think risk management is the answer. I think we’re at a point where risk management is a problem.”

The problem isn’t so much the idea, Chess said. “It’s how it is implemented.”


Related stories:

6 reasons to worry about cybersecurity

NIST guide: The imperative of real-time risk management

Better cybersecurity depends of better information management


Without an adequate foundation of knowledge and expertise, what should be an objective evaluation becomes a subjective gamble, and risk management becomes a risky proposition, he said.

Risk management is based on the assumption that absolute security is impossible. Because some risk will always remain in any system, the focus should be on managing it rather than futilely trying to completely eliminate it. All well and good, Chess said; but there are difficulties with how it typically is implemented.

  • Most practitioners don’t know the attackers and their methods well enough to accurately measure the amount of risk they are accepting.
  • Most are not good enough at math to understand how multiple risks across a number of parameters in their IT systems can add up or multiply to increase exposure.
  • Without these foundations, those who must sign off on accepted residual risk are making judgment calls with a pseudo-scientific veneer.

“Humans are really bad at that,” Chess said. “We don’t seem to be able to make good risk decisions. We need to drop the risk management banner.”

He suggested replacing it with objective standards, such as those that have evolved in the physical world to provide acceptable levels of safety. Take bridges, for example. Lots of bridges have failed, but engineers have developed objective standards for construction that have evolved by adapting to those failures.

“When we build a bridge, we are doing risk management,” Chess said. But designers are not left to make their own decisions about each bridge from scratch. By using objective standards, “we’ve improved bridges a lot over the last 100 years.”

The security community has a love/hate relationship with standards, he said. It loves the unanimity but hates being required to adhere to specific practices that might not be adequate. But Chess said he believes that professionally crafted, objectively applied standards that evolve over time can provide a uniformly higher level of security than what is achieved through individual guesswork. The world is not so fragmented that we cannot develop an effective set of common standards, he said.

The question remains: Who will develop these standards?

It will be either industry or government. “The big thing that the software industry fears is regulation,” Chess said. But if industry does not do an adequate job of developing and adhering to effective levels of care for security, Congress eventually will step in and do it for them.

Reader Comments

Tue, Aug 17, 2010 Rich Glover Washington DC

Awesome article! You can tell from the ultra-defensive responses that it really hit a nerve. Maybe risk management is the next emperor with no clothes.

Tue, Aug 17, 2010 Dan Pitton Washington DC

According to the author, we are managing risk the wrong way. We need more standards. I guess he never heard of the FDCC, which takes desktop security standards to a a new level of hyper-detail - with debatable consequences. Every security control carries it own risks, and in the case of FDCC, user circumvention was an unintended consequence. Ergo, such practices create more problems then they solve, simply because both users and hackers are all about leveraging creative methods designed to make security standards instantly obsolete. The more rigid the control, the more determined hackers become in beating it. Just look at the evolution of viruses spawning antivirus to malware answered by anti-malware; on to rootkits versus hypervisors; and on and on it goes. Risk acceptance is all about trade-offs, and managing risk is all about tolerance - how much pain can you take. To sit in lala-land dreaming of security absolutes as ironclad standards is a folly. 5 seconds after this guy arrives at a "standard" it will be made obsolete by a 12 year old.

Fri, Aug 13, 2010 Jim Green USA

“I think the biggest threat out there now is the concept of risk management,”

Wow!

The biggest, eh? Not identity theft lawsuits, services interruption/shutdown, [unscheduled and unplanned] remediation costs, or loss of Goodwill. (All "risk" issues; none IT issues.)

It's management of risk that's the new threat to the Universe. Or is it the thought ("concept") itself?

Is Mr. IT Security promulgating anti-risk management laws to deal with the threat of management of risk? (Or the thought?) Or does he need another obtuse threat in the wild as the latest addition to the Fear, Uncertainty, and Doubt central to his Value Proposition?

The primary difference between selling IT security and selling snake oil is that the victim at least feels good swallowing the oil. Not so with IT security, wherein every swallow hurts [the bottom line], and every failure of "security" requires more security; and the victim is left with that bloated, unsatisfied feeling.

Perhaps "risk management" is the cure for this situation. (Although it is the antithesis of Fear, Uncertainty, and Doubt.)

"But if industry does not do an adequate job of developing and adhering to effective levels of care for security, Congress eventually will step in and do it for them." Sure they will; until they've bled the Goose laying the golden eggs dead.

Then what?

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above