What is the risk of winning?
That sounds like a strange question since we usually think more about the negative outcome of a risk. But a risk is just the chance or probability of an outcome occurring in a given time period. Is there a greater risk to having a gun in your house or a swimming pool in your back yard? Click here for the answer: http://www.anesi.com/accdeath.htm
We humans are terrible judges of risk. We almost always ignore the negative consequences in hope of a desired outcome. It is for this reason that risk models have been developed to try to remove the human propensity to ignore the negative in favor of either short term or personal or excessive reward.
Bruce Schneier is perhaps the world’s foremost IT security expert, with numerous published books and papers. (If you do not have the most current version of Flash Player, the box below will be blank; use this link to view the video: http://www.ted.com/talks/lang/eng/bruce_schneier.html )
Some of those who best understand risk are those who run casinos. How many people play slot machines knowing they will lose? Casinos are betting you WILL LOSE in the long run and you are betting you WILL WIN THIS TIME. So there is a time element to evaluating risk. However, unlike the gambler, the casino owner knows to a decimal exactly how many people will lose and what the house advantage is on each game over a given period of time: http://www.pbs.org/wgbh/pages/frontline/shows/gamble/odds/odds.html.
Insurance companies also understand and bet on human life expectancy based on two hundred years of collecting mortality and disease statistics. They have a very clear process for determining whom they will and will not insure (just try to get life insurance if you’re over 85!). They are betting you WILL WIN (not die, have an accident, get sick) during the term of your policy, you are betting you will lose (die, crash, sicken). Ironic corollary: Anyone who has insurance is betting against himself!
The current Mississippi flooding is a good illustration of another aspect of risk. There is a 63.4% chance of a 100 year flood occurring in any 100 year period, not a 100% chance. The last flood of this magnitude was in 1927 which was only 94 years ago.(http://en.wikipedia.org/wiki/100-year_flood ). By definition, statistical calculations about flood events are not related to each other, they are independent, meaning that history of how recently a flood has occurred does not change the risk of the flood occurring again next year.
Computer security (cybersecurity, information security, information assurance, IT security) does not have hundreds of years of statistics on how data are lost, stolen or corrupted. Nor are there good statistics on which methods are used or by whom, like gambling and insurance companies have about games and mortality. In addition, unlike in gambling and mortality or floods, there isn’t an agreed upon method (used for calculating gambling odds) or central reporting location (like the Center for Disease Control) or formulae for flood occurence, for cyber incidents. Moreover, there are so many new software programs being written daily and new devices and functions being introduced monthly that calculating the risk of a cyber event happening is so complicated as to be difficult to impossible.
There are some organizations that are collecting data on computer crimes and breaches, but they each have drawbacks. Some are based on voluntary reporting, many companies (banks especially) are loathed to report successful crimes and no laws force them to notify customers of breaches (several federal data breach notification laws have been proposed and failed but some states have passed one). US-CERT collects data on incidents on government computers but government managers often don’t want to report accurately because they also fear being seen in a bad light. Our existing security problem is never fully described because we don’t know the full extent of what is happening and can’t analyze it to take appropriately corrective actions. Some computer crime databases:
DataLossDB voluntary reporting of data by the Open Security Foundation
Cyber Security Index is a relatively new project to try to evaluate the current state of cybersecurity.
Privacy Rights Clearing House The real danger is the gradual erosion of individual liberties through the automation, integration, and interconnection of many small, separate record-keeping systems, each of which alone may seem innocuous, even benevolent, and wholly justifiable. —–U.S. Privacy Protection Study Commission, 1977
IT Risk Management
Executives in the best run businesses can without hesitation clearly articulate the three top IT risks to their business. A risk management program has to be able to:
- know each asset, it’s attributes and it’s value to the organization
- identify all possible threats (likely and unlikely) to the asset
- identify the exposure(s) (vulnerability, attack surface) of the asset
- Define the line between what losses can be tolerated or not tolerated
- Quantify the benefit of taking the risk (lose $10 now to win $100 later)
- Identify the worst possible outcome(s) and develop a recovery plan
- The Verizon Enterprise Risk and Incident Sharing framework has a very interesting approach to doing risk management.
This free video is a good 13 minute overview of risk management and governance for managers. (Free registration required to view- NOTE: creating a “throw away” email address, unrelated to your personal or business email name or password, is a good idea for viewing sites like this). https://www.isc2.org/cissp-emea-thank-you.aspx
To understand how to use risk to minimize adverse consequences, it is also necessary to understand when risk management will not work.
Risk management models are based on financial risk models developed in the 1920s and 1930s. The last three years have shown that risk models developed for the financial world don’t work very well, even in the discipline they were developed in. We need to maintain a healthy skepticism about how to evaluate risks. Risk models don’t seem to work when:
- Losses are not monetized accurately; if you don’t know how much what you are protecting is worth, you don’t have an objective measure to determine how much loss you can accept (this is the problem with businesses not understanding Cyber Rugged Concept #1: digital data are an asset)
- The time period for estimating the occurence of a risk is too short for likelihood to be evaluated accurately. Computer attack methods are changing yearly or more frequently as new attacks are developed. Even if we had data on ALL the attacks in the last 2-3 years, or even 10 years, those data wouldn’t be accurate for as yet undeveloped cyber vulnerabilities (as the financial system risk models didn’t account for the new financial vulnerabilities of debentures and sub prime loans).
- Individuals accepting the risk consider their personal gain over the benefit to the organization taking the risk. (see this article about Marianne Jennings book Seven Signs of Ethical Collapse )
- there is no accountablility, responsibility or consequences for failure
- If the greatest adverse outcome of the risk is non- monetary (reputation loss, peer review, adverse publicity, personal ordeal) then risk decisions are based on avoiding those outcomes rather than acknowledging and correcting vulnerabilities that could spotlight individual, management or governance weaknesses.)
- There is refusal to examine possible catastrophic outcomes (if it happens we’ll deal with it then), or denial of the possibility (that will never happen!) any risk model breaks down, because the organization will not have developed plans that could have mitigated extreme outcomes.
The information security risk model used by the US Government is published by NIST in NIST 800-39 published in March 2011. ISACA, a worldwide IT professional organization, just printed a compilation of research about information system risk management (free download) called RiskIT which provides an indepth course on what IT risk is and elements of managing it .
Rugged is…enumerating the beneficial and adverse outcomes of a decision or action, and determining if negative consequences would cost more that the desired outcome would provide.