Risk assessment is a hazardous business. For instance, take the case of the town council that banned hanging baskets after they ruled there was a risk they could fall from lampposts and injure the public (see full story here). The local Bury in Bloom committee was suitably angered by the decision calling it pointless. But was it so pointless?
People are quick to point out that there is often a lack of any empirical evidence in support of risk assessments. In other words they are saying “it has’t happened before so it wont happen in the future.” Certainly I don’t recall ever reading about any of the townsfolk of Bury St Edmunds being injured in hanging basket incidents. However, when we recall that risk is a balance between threats, vulnerabilities and potential costs then while the first two might be small, the cost outcomes would have been considerable. So, I can understand the decision even if I don’t necessarily agree with it.
And that brings me to the point that I wanted to make which is my view that it’s misguided to rely solely on historical data in order to perform a risk assessment. True, we need to be aware of past trends – those help us to understand the effectiveness of controls and learn lessons of where things have previously failed – but information security is not like insurance. We might have a web site that’s been happily running, with exploitable vulnerabilities, for years. Just because it has never been hacked before does not in any way reduce the risk of it being hacked in the next five minutes. We can predict the impact of the attack, estimate the costs, and describe the potential threats and vulnerability level. What we cannot do is quantify the risk by looking at historical data, except to say that we know websites get hacked.
This article on the BCS website makes for interesting reading on the subject:
In the field of information security, it is likely that investment decisions are still often made based on the judgment of skilled and experienced information security professionals instead of on reliable data that quantifies risks because there is little reliable data which we can use to make careful decisions.
There is also a good blog on the subject that makes the point that you cannot, and should not deal with all the insecurities facing your organization, instead consider prioritizing your security expenditure, not just following the daily headlines and vendor-released, short-term centered research.This is most important – consider risk from the perspective of the business that you are working for. We’re all working for organisations with different risk profiles which is why we all should be following individual strategies that fit business needs rather than the industry hype.