Risk is all about perception. We often make decisions about how to stay safe based on the perception of risk rather than on the actual risk. For example, people perceive far more risk around earthquakes than they do around slipping on the bathroom floor, although in most places on earth you’re hundreds of times more likely to die from the latter cause.
When it comes to information security risk assessment, this aspect of human nature can lead to a false sense of confidence. That is, the perceived effectiveness of information security investments often differs from the actual security they provide. (This well-known TED talk with Bruce Schneier offers great background.)
We’re seeing this all very vividly in our industry right now in the wake of the latest wave of security breaches involving major retailers. Given that all such firms are under constant threat, and knowing that Target had recently been hacked hard through its point-of-sale (POS) systems, why was Home Depot not better prepared?
An aspect of human risk perception is that events that have been experienced before are judged to be more likely to occur than events that have not yet occurred. Recent high-profile breaches therefore have companies piling on security measures at record levels.
But are they choosing the right measures, in the right combinations, to holistically address actual risk? Or are they making “stop-gap” choices that, in the end, lock the doors but leave some windows wide open? For example, do they get PCI certified but fail (as Target did) to investigate security practices among their third-party vendors?
Even compliance with security regulations or company policy might not always correspond to actual risk. I recall a case where a network failed an audit because two routers were found to be direct-connected with no rogue system detection in place between them. But this was on a secure corporate campus, in a restricted-access building, in a closet with even higher access restrictions. How great was the actual risk in this case, even though a compliance checkbox was not checked?
ISO defines risk as the “combination of the probability of an event and its consequence.” In terms of information security, risk balances the security of a system against the expected loss resulting from a breach.
Determining the actual significance of risk factors allows security analysts to objectively prioritize vulnerabilities based on criticality, so that companies can allocate resources to mitigate them. In this context, techniques like threat modeling are a useful way to visualize potential attacks, uncover actual vulnerabilities and determine risk levels based on business factors like cost, regulatory fallout and reputational damage.
Robust information security requires a holistic framework aligned with a risk-based approach like ISO 27001. Are you confident that your organization has appropriate security controls in place to deal with the actual threats you face? To talk with an expert about your situation, contact Pivot Point Security.