Wednesday, February 11, 2009

Risk: The Ultimate Metric

Many years ago, back when the world was young and IT was innocently going about troubleshooting DOS 3.3machines and setting up those brand-new 300b modem banks, risk meant something entirely different than it does today. Back then, risk was an entirely business-owned term. Risk dealt with one of the following, and only under rare cases was it anything more:
  1. Financial: related to credit or investments such as loans, credit cards, or other financial obligations
  2. Legal: dealing primarily with breaking the law, whether local, federal, or international
  3. Human: accounting for the human element of a corporation, mainly HR-related
  4. Opportunity: taking a risk or pursuing an opportunity which could positively or negatively impact the business
Now in 2009, we look at risk as a metric applied to technology. While there are actuarial models for quantifying the 4 previously-mentioned risk types we are still falling short at being able to measure technology-based risk. This can be understood largely by the historical view of things, given that the 4 other types of risks identified here have been around for centuries and are reasonably well-understood and refined through the ages, whereas technology-based risk has been measured for somewhere less than 20 years. This makes it pretty easy to understand why your auto insurance company can tell you what risk profile you fall into after asking you just a few simple questions and what your loss-expectancy is; and you still have no idea how to tell your upper-management what the likelihood of getting hacked if {insert security counter-measure here} gets implemented.

Risk is truly the ultimate metric for security practitioners and managers alike. We've tried to model risk with equations, formulas, and frameworks over the past half-decade or so but we're still failing to fundamentally provide consistent answers to the same question.
"How much less likely are we to be hacked if we spend $X dollars on Y solution?"
Your insurance company can tell you how much less likely you are to cost them money if you're a married male over the age of 25, versus an unmarried male under 25... but we in security have no such magic table of risk to speak from.

As I've stated, I know full-well there are some great risk model frameworks and formulas out there but at the end of the day... I don't know a single one that can answer the question, posed above. Is it because every business is different? Maybe it's because there are more factors than we can possibly factor into a cohesive formula and keep sanity... or maybe it's just that we simply don't understand risk in technology terms completely.

Take a look at your 2009 projects (if you have any, given the economic climate) and ask yourself... which of these reduces the business' risk profile the greatest, and by how much? I urge you to abandon trying to word-smith your projects into something your CIO will find acceptable (or at least scary) and focus on trying to come up with that all-important metric... risk. Instead of justifying your pet project by saying it will keep your company from making negative front-page news or losing millions of credit card records... Justify that project by saying that implementation of that project will decrease negative business risk by 20% (or whatever your number is)... and watch the reaction.

... now all you have to do is figure out that magic formula. Good luck.

No comments: