Rationalizing Risk Assessments – Objectivity be Damned?

    Categories: InfoSec Risk Assessment

Just finished my nth (non-fulfilling) conversation on our approach to Information Security Risk Assessments with our Audit Lead.  It still amazes me that something so fundamentally logical/right is so challenging to execute well.  It is especially true when you consider that we successfully conduct our own personal mini “risk assessments” (PMRA) a dozen times a day.

Sun is shining, 80 degrees  and Bob invited me to golf this afternoon.  Man that sounds great.  Audit report ain’t gonna write itself, if I don’t get it to the client tomorrow like I promised they will probably be unhappy and that might impact our chances of being awarded the second half of the project.  The round should be over before I need to have the steaks on the grill in time for dinner, but if not my wife is really going to be pissed at me as I have been late 3 nights this week and I promised to be on time tonight.  Looks like I’m not going golfing.

So why is it that Information Security Risk Assessments (ISRA) are so much more challenging than PMRA’s?

Quantitative vs. Qualitative

On first blush you may be tempted to point out that ISRA’s are much more quantitative in nature and risk is more “financial” in nature.  Agreed, having my wife mad at me is not necessarily a financial issue (although if she were mad enough it may be as any good divorce attorney would attest to)  — but the degree (a form of quantification) is still important.  Are we talking flowers and dinner mad or are we talking sleeping in the basement mad?  The loss of business ties to my financial remuneration at the company .. and while I am not calculating an exact amount .. I know that losing a big project will hurt our profit .. which will reduce my bonus (probably enough that I won’t be able to afford that Duxiana bed I had my eye on for the basement).  Further, we only conduct qualitative ISRA’s so I don’t think it’s a quantitative issue?

Consensus vs. Individual

Generally speaking it’s easier to do things by yourself.  However, when we hit PMRA’s that have greater potential for negative impact beyond the “I really would love a bowl of chili … but gosh it kills my intestinal track and I have dinner with in-laws tonight” we have a tendency to involve others.  Checking with the client to see if you can gauge just how mad they may be … or your son to see if he will be home late in the day to fire the grill if  you’re a little late.  So while gaining consensus adds complexity, I don’t think it’s a consensus issue.

Public vs. Personal

PMRA’s are by definition mostly personal.  You may bounce ideas off of someone or detail your PRMA over a beer to rationalize your decision to purchase a Buick Lacrosse over a BMW 328xi (hypothetically speaking, of course) but in most instances PMRA’s are not subject to the harsh light of day.  To the contrary, ISRA’s are by definition “public”.  They are being used to rationalize the purchase or implementation off a certain set of controls.

I think that this is the main challenge with ISRA’s.  ISRA’s impact lots of people, accordingly, they are subject to a lot more scrutiny.  Scrutiny requires the outcome to be “defensible”  which makes the process of executing a “by the book” ISRA so challenging.

Bottom line is that PMRA’s are subjective in nature an measuring risk subjectively is more natural and intuitive, and probably more accurate.  ISRA’s being subject to independent review need to be more objective in nature and objectivity is inherently challenging, not only because of organizational myopia, but because objectivity requires third party data, which just doesn’t exist.  For example, in assessing the risk that a malicious individual will leverage social engineering to exploit weaknesses in your call centers personnel and gain access to Personally Identifiable Information how do we objectively measure probability and impact?  There are no actuarial tables or other relevant statistical data stores to measure either.  Further, if our Risk Treatment Plan defines quarterly Security Awareness training to reduce this risk – by what percentage did it reduce it ?

A Successful Subjective ISRA

I have oft repeated that the most beneficial ISRA that I ever saw conducted was done by the CISO for a NJ County.  It was a single handwritten spiral notebook page labeled “5 things that keep us awake at night” and it contained 5 bullet points citing the 5 greatest risks that the County was subject to.  I say that it was the most beneficial ISRA because it focused the organization on 5 business critical risks that they felt that they could effectively address over the course of a year.  Were there perhaps other risks that were even more significant?  Were there other risks that they could have mitigated more easily?  Possibly.  But bottom line it galvanized them into action and focused their efforts sufficiently for them to complete the task.  Knowing this particular team well – I feel confident in saying that a color coded spreadsheet with 62 prioritized and quantified risks would have provided less value.  In a sense his ISRA was really a PMRA.  Damn objectivity, I know what we need to do, now I’m going to do it.

So do we really need objectivity?

Subjectivity is easy and our natural state I would argue it usually results in the truest assessment of risk.  The enemy of subjectivity, is rationalization.  Rationalization allows us to distort subjectivity to achieve a more desirable end.  It is our willingness to (knowingly or unknowingly) rationalize that necessitates objectivity.  So we have reached the classic Catch 22 … Subjective Risk Assessments are simpler and arguably more accurate – yet the potential for rationalization to take place necessitates the introduction of higher levels of objectivity which complicate the process and often result in the outcome being less accurate/valuable.

So I’m left still pondering improving the Risk Assessment process …

John Verry :

View Comments (2)

  • Most professionals believe Risk Management is the heart of Information Security, however, it is probably the most abused security discipline, and the point you just raised is one of the main causes.

    Very nice article, please keep them coming.

    I'm still pondering improving the Risk Assessment process …

    • We were frustrated with Risk Assessment using approached like OCTAVE because asset centric based risk assessments don't work well. Once we saw the idea introduced in ISO-27005 that an alternative approach is to take an information and process that act on it centric approach -- we really began to enjoy Risk Assessment and value its output.