Risk assessment is a fascinating activity that is relevant to everyone, all the time, and involves both our individual, subjective interpretation and the pure objectivity of statistics. Money, power, security, survival, rationality, emotion—it all comes into play when humans assess risk.
With DEFCON 24 and Black Hat USA 2016 just behind us, what better time to touch on this critical information security issue: when we measure risk, how do objective and subjective factors influence whether we do—in fact—make ourselves safer?
We all know from direct experience that when it comes to risk in what I’ll call “hostile environments,” there are two extremes for assessing risk. Some people completely ignore relevant risks (e.g., a drunk person driving home late on New Year’s Eve with the roads crawling with both other drunk people and also police cars) while others actually increase their overall risk by perceiving greater risk than actually exists (e.g., people who drive long distances because they’re afraid of flying).
When we perform risk assessment we want to be as objective as possible, because logically this will help us achieve valid risk values to drive sound decisions that verifiably reduce risk as intended. But at all stages of the risk assessment process, from the choice of a framework or model to the choice of the people around the table to the choices around risk probabilities and impacts, subjectivity is involved.
As Bruce Schneier has eloquently put it, security is both a reality based on risk probabilities and countermeasure effectiveness, and a feeling driven by psychological reactions to those risks and countermeasures. Like a traveler in a car versus a commercial aircraft, you can be secure when you feel unsafe, and you can feel safe when you’re actually not.
This objectivity/subjectivity factor is highly relevant to assessing and mitigating information security risk. It’s not practical or financially possible to defend against every possible risk. So how do you accurately predict and prioritize the most critical vulnerabilities for optimal results? How do you avoid scenarios where focusing on one control just has the effect of shifting attacks toward more vulnerable targets.
Permit me to reemphasize how challenging it can be to objectively/rationally view and address risk. How many IT administrators and executives out there do you think are worried about defending against zero-day attacks or advanced persistent threats (APTs) from nation-state attackers when they have unpatched servers, systems outside their firewall with default username/passwords, web-facing applications with big vulnerabilities in their code… and Bob in Accounting just clicked on a malicious link in a phishing email?
One way to introduce objectivity and valid input is to choose a risk assessment model or framework that meets and organization’s needs and help facilitate meaningful discussion. Intel’s TARA methodology is one example. At Pivot Point, we generally recommend a more open-ended decision matrix because, in our experience, comprehensive input from people who know an organization’s specific environment and challenges yields the best results.
Another way to work with the emotional, gut-level side of risk assessment is to bring people to the table who don’t have an emotional stake in the job function. This can be a third-party expert, or just someone from another department whose view is less subjectively biased. Getting broad input to reveal and balance biases is a common risk assessment challenge.
Perhaps the biggest advantage of bringing unbiased, third-party experts into your risk assessment is that we’ve not only participated in a lot of risk assessments, but also we’ve seen the real results and can look beyond the current media hype and other “FUD factors.” We know experientially and historically what attacks actually exploit what vulnerabilities at companies similar to yours, and what the outcomes were.
To ensure you balance objectivity and subjectivity and get the most value and best results from your information security risk assessment efforts, contact Pivot Point Security.