My last blog posting kicked off a number of interesting discussions, including one on the subject of automated security risk management, raised by a friend from Brabeion, a compliance management specialist based in Washington DC. The issue raised was: Can we assess security risks directly from discovery tools? A good question, one more appropriate to my colleague Stuart King’s Risk Management Blog, but I thought I’d set out some thoughts on the subject before pushing it over to him.
Now I’m all for injecting as much objectivity and precision into risk assessment as possible, because subjective assessments are too often clouded by political, cultural and personal factors. However, it’s people who are responsible for decisions, so I’m not too sure we can entirely remove the human element. I’m reminded of an instructive session on risk management by a leading professor on this subject at a US Government computer security conference back in the early 80s. He presented an array of mathematical methods for calculating risks, taken from more mature fields, such as the nuclear industry. At the end of his session a man from the audience posed the obvious question “But how can you prevent people from adjusting the figures and weightings to suit a particular outcome?” His response was illuminating. “But that’s exactly how it works. You wouldn’t make decision based on such calculations. These methods are intended to support your decisions.”