Home > Uncategorized > The Death of Risk

The Death of Risk

My friend and colleague Donn Parker, security consultant and researcher par excellence, gives an RSA session entitled “Alternatives to Security Risk Management” (RSA P2P 204A Weds at 1pm Burgundy 222) in which he attempts once more to debunk the myth that “risk can be managed” in information security.  Donn has been on the forefront of thinking about information security since the 1970s and he is used to being ignored by all types of people who either don’t get it or haven’t figured out a way to exploit an idea for profit yet.  Sometimes his rants can seem quixotic but almost always look prescient after-the-fact.  Here is an example.  Donn is not saying that “risk doesn’t matter” (although read below for more on this notion), but he is saying that the idea that an organization can use quantitative techniques analyzing detailed risk profiles around data and controls to make decisions about information security is pure bunkum.  I agree…mostly.

Controls can be managed.  And we should continuously develop our ability to manage controls so that – at minimum – we keep pace with the rapidly changing threat landscape and the less-rapidly evolving state of controls and best practices.  On this Donn and I agree.  However, I believe that CISOs and organizations should be able to address a big risk (that is: (threat*likelihood of attack-success)*impact)) before they address a small risk which implies a crude quantitative analysis.  You could define “risk management” as “managing the controllable portion of risk facing the organization” and be done with the controversy.  Unfortunately, CEOs and CFOs will expect the implied definition — that when you implement your brand new control, overall risk to the organization will have been reduced by the amount you promised.  Donn’s point is that is folly and potentially career limiting if something bad does indeed happen anyway.

But hold on a moment.  Maybe it’s not career limiting after all to maintain a façade of risk management.  Take a look at two recent exhibits for the prosecution: (1) the housing-credit-crisis and the resultant recession, and (2) the TJX data breach.  I really want to write about (1) but I’m throwing in (2) for those of you who might say, “Well, that was a special case – an outlier and not something we should use to guide us.”  The housing-credit crisis was the direct result of a willful failure of risk management.  Executives at a small number of very large and powerful financial institutions, aided by regulators who were predictably transfixed by the beauty of their own financial models, took huge and – in hindsight anyway – unjustifiable risks in order to score big playing the financial markets.  OK, what they did was bad, right?  But look who lost their jobs.  Thousands of employees at Bear, Lehman, WAMU and Wachovia (and others).  But how many of the executives that actually made the bad bets?  Not many.  FNMA said house prices would decline by at most 5%.  Goldman’s WOW (“worst of the worst” cases) model said 30%.  The rating agencies, who hawked AAA ratings like papal indulgences in the fifteenth century, said 15% to 20%.  There you have “risk management” at its finest.  Smart economists have told us that you cannot spot a market bubble until after it has burst and unfortunately most investors tend to get in right before the bubble collapses.

Take a look at TJX, if you think the current recession is an outlier.  The accompanying chart shows that the March 28, 2007 announcement of a massive data breach at TJX had little or no discernible effect on the stock price of the company.  TJX recently announced record profits and – just a year after hundreds of billions of bailouts were doled out — Wall Street bonuses were up 17% over 2008.  Conclusion: there is no longer a penalty for taking untoward risk.

So what is the purpose of information security risk management?  Go to Donn Parker’s RSA session and find out for sure.  But my guess is it is – at best — a very fancy fig leaf.

spot the data breach...

Categories: Uncategorized Tags:
  1. No comments yet.
  1. No trackbacks yet.
You must be logged in to post a comment.