I find it surprising that after more than 30 years of experimentation of risk assessment, many security practitioners continue to apply risk assessment in such a non-intuitive way. There seem to be some rather widespread misconceptions about the nature of the process. I cringe when I hear experienced professionals suggest that risk assessments must be objective and repeatable. Where on earth did they get that impression? Were they taught this on a course? Or did they read it in a standards document? It's not something that occurs in practice.
This has prompted me to try to debunk some of the myths of risk assessment. Hopefully, by speaking out, I might encourage future practitioners to approach the subject with a more critical eye, rather than merely copying the flawed practices of previous generations. So here is my attempt at nailing six common myths of risk assessment.
1. Risk assessment is objective and repeatable
It is neither. Assessments are made by human beings on incomplete information with varying degrees of knowledge, bias and opinion. Groupthink will distort attempts to even this out through group sessions. Attitudes, priorities and awareness of risks also change over time, as do the threats themselves. So be suspicious of any assessments that appear to be consistent, as this might mask a lack of effort, challenge or review.
2. Security controls should be determined by a risk assessment
Not quite. A consideration of risks helps, but all decisions should be based on the richest set of information available, not just on the output of a risk assessment, which is essentially a highly crude reduction of a complex situation to a handful of sentences and a few numbers plucked out of the air. Risk assessment is a decision support aid, not a decision making tool. It helps you to justify your recommendations.
3. Risks assessments should be focused on assets
This is not recommended. Asset-based risk assessment is the most expensive, long-winded and uncertain method available. There are thousands of assets to consider and most are shared by numerous users. It's a cross between painting the Forth Bridge and nailing jelly to a wall. And it's not the way that business risk management operates. It's far simpler to focus on business processes or areas of responsibility, rather than individual assets.
4. Risk assessment prevents you spending too much money on security
Not in practice. Aside from one or two areas in the military field where ridiculous amounts of money were spent on unnecessary high end solutions (and they always followed a risk assessment), I've never encountered an information system that had too much security. In fact the only area I've seen excessive spending on security is on the risk assessment itself. Good security professionals have a natural instinct on where to spend the money. Non-professionals lack the knowledge to conduct an effective risk assessment.
5. Risk assessment encourages enterprises to implement security
No, it generally operates the other way around. Risk assessment means not having to do security. You just decide that the risk is low and acceptable. This enables organisations to ignore security risks and still pass a compliance audit. Smart companies (like investment banks) can exploit this phenomenon to operate outside prudent limits.
6. We should aspire to build a "risk culture" across our enterprises
Whatever that means it sounds sinister to me. Any culture built on fear is an unhealthy one. Risks are part of the territory of everyday business. Managers should be encouraged to take risks within safe limits set by their management.
Now don't get me wrong. Unlike Donn Parker I'm not against risk assessment. I take the view that it's unavoidable but can also be extremely valuable, perhaps one of the most powerful management tools available to an organisation. It enables managers to do whatever they like, in most cases with limited personal consequences, as long as they carefully document their decisions. We can all use a tool like that.