One of the problems with information security and risk assessments is that we’re really dealing with uncertainty rather than risk. There is a difference. You can estimate risk when you know the probability of an event. When it comes to information security there is a lack of valid data. Not only that, but the nature of security threats change so rapidly these days that the chances of us being able to gather a meaningful set of data about vulnerabilities may never be possible. As by the time you’ve collected enough data the environment will have changed.
Decisions are actually being made on the basis of trusted opinions. It’s still a “risk assessment” but it’s an opinion. In information security, two people can be given the same set of data about threats and vulnerabilities, use the same risk modelling methodology and reach two different conclusions. I’ve seen it happen many times.
Interesting to note is the fact that given all our risk models, the world of information security wholly failed to predict and prevent the recent and continuing spate of data breaches. As an acquaintance of mine recently said, “We’ve been focusing on brain surgery while the patient dies of the common cold.”
My favorite example of the futility of the risk assessment comes from Nassim Taleb’s excellent book The Black Swan.
Consider a turkey that is fed every day. Every single feeding will firm up the bird’s belief that it is the general rule of life to be fed every day by friendly members of the human race…On the Wednesday before Thanksgiving, something unexpected will happen to the turkey. It will incur a revision of belief.
As Taleb points out, the turkeys feeling of safety likely reached its maximum when the risk was highest.
So, our risk assessments cannot prevent bad things from happening. We can have an opinion based on our “expert” knowledge but now look back over most – maybe all – of the information security related risk assessments that you’ve made. Did you really need to work through the model to get to the conclusion that you’ve reached or did you know what you were going to say before you started?