IV. Risk

What is the risk of winning?

That sounds like a strange question since we usually think more about the negative outcome of a risk. But a risk is just the chance or probability of an outcome occurring in a given time period.  Is there a greater risk to having a gun in your house or a swimming pool in your back yard? Click here for the answer: http://www.anesi.com/accdeath.htm

We humans are terrible judges of risk. We almost always ignore the negative consequences in hope of a desired outcome.  It is for this reason that risk models have been developed to try to remove the human propensity to ignore the negative in favor of either short term or personal or excessive reward.

Bruce Schneier is perhaps the world’s foremost IT security expert, with numerous published books and papers.  (If you do not have the most current version of Flash Player, the box below will be blank;  use this link to view the video: http://www.ted.com/talks/lang/eng/bruce_schneier.html )

Some of those who best understand risk are those who run casinos.  How many people play slot machines knowing they will lose?   Casinos are betting you WILL LOSE in the long run and you are betting you WILL WIN THIS TIME.  So there is a time element to evaluating risk.   However, unlike the gambler,  the casino owner knows to a decimal exactly how many people will lose and what the house advantage is on each game over a given period of time:  http://www.pbs.org/wgbh/pages/frontline/shows/gamble/odds/odds.html.

Insurance companies also understand and bet on human life expectancy based on two hundred years of collecting mortality and disease statistics.   They have a very clear process for determining whom they will and will not insure (just try to get life insurance if you’re over 85!).  They are betting you WILL WIN (not die, have an accident, get sick) during the term of your policy, you are betting you will lose (die, crash, sicken).  Ironic corollary: Anyone who has insurance is betting against himself!

The current Mississippi flooding is a good illustration of another aspect of risk. There is a 63.4% chance of a 100 year flood occurring in any 100 year period, not a 100% chance.   The last flood of this magnitude was in 1927 which was only 94 years ago.(http://en.wikipedia.org/wiki/100-year_flood ).  By definition, statistical calculations about flood events are not related to each other, they are independent, meaning that history of how recently a flood has occurred does not change the risk of the flood occurring again next year.

Computer security (cybersecurity, information security, information assurance, IT security) does not have hundreds of years of statistics on how data are lost, stolen or corrupted.  Nor are there good statistics on which methods are used or by whom, like gambling and insurance companies have about games and mortality.  In addition,  unlike in gambling and mortality or floods, there isn’t an agreed upon method (used for calculating gambling odds) or central reporting location (like the Center for Disease Control) or formulae for flood occurence, for cyber incidents.  Moreover, there are so many new software programs being written daily and new devices and functions being introduced monthly that calculating the risk of a cyber event happening is so complicated as to be difficult to impossible.

There are some organizations that are collecting data on computer crimes and breaches, but they each have drawbacks.  Some are based on voluntary reporting, many companies (banks especially) are loathed to report successful crimes and no laws force them to notify customers of breaches (several federal data breach notification laws have been proposed and failed but some states have passed one).  US-CERT collects data on incidents on government computers but government managers often don’t want to report accurately because they also fear being seen in a bad light.  Our existing security problem is never fully described because we don’t know the full extent of what is happening and can’t analyze it to take appropriately corrective actions. Some computer crime databases:

DataLossDB voluntary reporting of data by the Open Security Foundation

Cyber Security Index is a relatively new project to try to evaluate the current state of cybersecurity.

Privacy Rights Clearing House   The real danger is the gradual erosion of individual liberties through the automation, integration, and interconnection of many small, separate record-keeping systems, each of which alone may seem innocuous, even benevolent, and wholly justifiable.   —–U.S. Privacy Protection Study Commission, 1977

IT Risk Management

Executives in the best run businesses can without hesitation clearly articulate the three top IT risks to their business.  A risk management program has to be able to:

  • know each asset, it’s attributes and it’s value to the organization
  • identify all possible threats (likely and unlikely) to the asset
  • identify the exposure(s) (vulnerability, attack surface) of the asset
  • Define the line between what losses can be tolerated or not tolerated
  • Quantify the benefit of taking the risk (lose $10 now to win $100 later)
  • Identify the worst possible outcome(s) and develop a recovery plan
  • The Verizon Enterprise Risk and Incident Sharing framework has a very interesting approach to doing risk management.

This free video is a good 13 minute overview of risk management and governance for managers.  (Free registration required to view- NOTE: creating a  “throw away” email address, unrelated to your personal or business email name or password, is a good idea for viewing sites like this).  https://www.isc2.org/cissp-emea-thank-you.aspx

To understand how to use risk to minimize adverse consequences, it is also necessary to understand when risk management will not work.

Risk management models are based on financial risk models developed in the 1920s and 1930s.   The last three years have shown that risk models developed for the financial world don’t work very well, even in the discipline they were developed in.  We need to maintain a healthy skepticism about how to evaluate risks.  Risk models don’t seem to work when:

  1.  Losses are not monetized accurately; if you don’t know how much what you are protecting is worth, you don’t have an objective measure to determine how much loss you can accept (this is the problem with businesses not understanding Cyber Rugged Concept #1: digital data are an asset)
  2. The time period for estimating the occurence of a risk is too short for likelihood to be evaluated accurately.  Computer attack methods are changing yearly or more frequently as new attacks are developed.  Even if we had data on ALL the attacks in the last 2-3 years, or even 10 years, those data wouldn’t be accurate for as yet undeveloped cyber vulnerabilities (as the financial system risk models didn’t account for the new financial vulnerabilities of debentures and sub prime loans).
  3. Individuals accepting the risk consider their personal gain over the benefit to the organization taking the risk.  (see this article about Marianne Jennings book Seven Signs of Ethical Collapse )
  4. there is no accountablility, responsibility or consequences for failure
  5. If the greatest adverse outcome of the risk is non- monetary  (reputation loss, peer review, adverse publicity, personal ordeal) then risk decisions are based  on avoiding those outcomes rather than acknowledging and correcting vulnerabilities that could spotlight individual, management or governance weaknesses.)
  6. There is refusal to examine possible catastrophic outcomes (if it happens we’ll deal with it then), or denial of the possibility (that will never happen!) any risk model breaks down, because the organization will not have developed plans that could have mitigated extreme outcomes.

The information security risk model used by the US Government is published by NIST  in NIST 800-39 published in March 2011.   ISACA, a worldwide IT professional organization,  just printed a compilation of research about information system risk management (free download) called RiskIT which provides an indepth course on what IT risk is and elements of managing it .

Rugged is…enumerating the beneficial and adverse outcomes of a decision or action, and determining if negative consequences would cost more that the desired outcome would provide.

54 Responses to IV. Risk

  1. Joe Shively says:

    This section on risk was very interesting. Particularly the statistics on risk of death and what people perceive is the greater risk or threat.

  2. W says:

    If you want to determine if your data is worth something try working for a couple of weeks without access to any of it and you should be able to tell if it has value. Is it something you can easily lookup on the Internet, something that was generated with a minimum of work or did it require a lot of research and though to develop? This doesn’t cover it all but might give you a place to start evaluating exactly what your data is worth to you.

  3. GTM says:

    Having a home computer that suddenly went down, makes you take more seriously things like backups, redundant disk drives and the like. Until something like that happens, you tend to pay lip-service to those things….

  4. Mr. D says:

    Life is all about risk management. No matter what we do, there is a possiblity of adverse consequenses. The only people who do not have to deal with risk are dwelling under a tombstone and six feet of dirt.

  5. michael says:

    the model proposed by the speaker at first seemed odd. But when thinking about more the idea is really very good. The point is that threat and impact must be objectively determined and evaluated. Otherwise, conclusions may be false.

  6. Always Learning says:

    The greatest risk exists between the chair and the keyboard. On any given day, you do not know what is going on in someone’s mind that is reviewing the latest re-org chart.

  7. Vicky says:

    Don’t get me started on insurance companies…

  8. Jose H says:

    Risk management is so complicated and can lead one down so many different tagents that you get lost in it and lose the real value of what it mean to you.

  9. ava shaw says:

    The section on Risk was quite interesting….especially that we are betting against ourselves when purchasing life insurance

  10. bbb says:

    I agree that we do a poor job at identifying, understanding and quantifying risk. Better risk models are needed to provide better understanding of the actual risk to information systems.

  11. Alexander says:

    I did not know that collectively and individually we were that bad at estimating risk !

  12. colston says:

    I notice no mention of Cloud computing in the article on risk…..?

  13. Chris says:

    Too often risk mitigation strategies are shelved due to the cost, even when the risk far outweighs the cost. Part of the problem may be that too many people in charge of the money in these cases see those delivering the message as Chicken Little’s proclaiming “the sky is falling”. The other is that recovering physically from the damage of a possible risk may be cheaper in many cases then the prevention, but what is ignored and hard to quantify is that the integrity of the business and those in charge is lost, and may not recover. It’s when your integrity is lost that you’ll lose customers, and maybe even your entire business.

  14. WC says:

    Try the RISKIT Course

  15. JMH says:

    100% Risk managemnt is not attainable, we can do the best we can to manage risk. The first step in managing risk is performing a Risk anylisis.

  16. Charlie says:

    Interesting that upper case, l0wer case, number, special character combinations have no effect on making passwords more secure because of the hash tables. I guess organizations should stop requring these and train employees to use very long passwords with some kind of mnemonic password memorization tricks

  17. A Suggestion... says:

    A detailed discussion of the Quantitiative Risk Matrix approach to managing risk would be appropriate in this section.

  18. Marianne says:

    Bruce Schneir video was interesting.

    • jac says:

      Quantitative risk analysis is useful for setting insurance rates for drivers according to how old you are, how far you drive, what kind of car you have, etc. But very few business risks can be quantified in a meaningful way. This is one reason why DOD gave up on quantitative risk analysis & NIST followed suit in their risk methodologies. Numbers were arrived at by ceremonial judgments best know as PFA, or Plucked From Air. It became an exercise in checking off a box so that the organizatoin can say they did a risk analysis for that period of time. There is an excellent book called Against The Gods, by Peter Bernstein that is a history of the study of risk. If you want insight into how quantitative risk analysis failed in a big way, read The Big Short by Michael Lewis. This is a study of the meltdown of the credit default markets that led us to our current economic pain. Great models, lots of numbers, but very bad judgment caused people to buy these financial instruments and watch billions melt away. Nicholas Taleb’s book Fooled By Randonmness is also worth a read. I found The Black Swan obtuse and solipsistic.

  19. bl says:

    Risks. So many times, so many people worry about what they should less worry about and don’t have appropriate concern for what they more likely should. The video was dead on. And I am am guilt of this too… but only sometimes.

  20. Name (required) says:

    The biggest risk, in my opinion, will always be the uneducated users. I am amazed at some of the information my friends and family will give away without a moment of hesitation.

  21. Gregory says:

    Didn’t know there were some states that didn’t have disclosure laws on security breaches

  22. onehundred says:

    The Privacy Rights site shows WordPress servers were accessed by hackers in April – interesting.

  23. YC says:

    Risks are anywhere, 24/7 online, if you turn on your computer.
    Knowing the risk, then you will try to deal with it.

  24. Arctic says:

    Paragraph 6 regarding the Mississippi River and the “100 year period” is a perfect example of why the comment by “Name (required)” is right on……..the greatest risk in the “uneducated user.” Again, smart phones, I-pads, etc, etc, is no reason to “deactivate” your common sense.

  25. protectmydata says:

    The biggest risk of our data is actually placing it on “a cloud”, today’s key concept, but still not secure.

  26. leewelch32 says:

    The time period for estimating the occurence of a risk is too short for likelihood to be evaluated accurately.

    I love this line…”*” over time, that is important to more than risk, you need a large enough sample to make statistical anlysis valuable, in most cases.

  27. Janet Harris says:

    Really get you thinking… Risk Management Models don’t seem to work when the time period estimating the occurance is too short to evaluate, such that the computer attack methods are changing more frequetly as attacks are developed.

  28. Longshot9 says:

    Good discussion of perception of comparative risk.

  29. jac says:

    I don’t think the organization understands how risk should be managed, since most of what goes on seems to risk avoidance.

  30. concerned says:

    The greatest risk is sitting down and logging on

  31. OctalMan says:

    Everyone should be told that the equations governing risk are fantasies based limited views of reality. Casinos are a fairly narrow field, and their numbers are less fantastic. But floods and IT threats are based on many assumptions of constant actitivty that are simply untrue. Nevertheless, one should still crank the numbers because only by facing multiple scenarios in the relative quiet of the office can one prepare for the future. One should also assign a number to one’s fear – and notice how different people assign different numbers, depending on experience and temperament. This is not science. This is art.

  32. Buster says:

    I had a Sun Security trainer tell me if someone is determined to get into your system, they will. How does the risk calculation work then?

    • rpl3 says:

      The notion of risk and risk management are often misunderstood, not to mention risk assessment, mitigation and avoidance.

    • jac says:

      The process of estimating a risk is only one part of risk management. If you have a penetration of your system, you need an incident response plan. You need a backup system that works so you can restore data to the last valid point. You need contingency plans for the IT systems. You need a disaster recovery plan if the building burns down. You need a continuity of operations plan that allows you to function, albeit at a reduced level, until you can do a complete recovery. We have all of these things for our major applications and they are tested annually.

      Risk management is about establishing mitigations and compensations for the controls that fail. Even if a determined person gets in, it does not mean that your risk analysis is faulty. It means the event took place and your compensating controls are then put into action. When the Apollo program was working to put a man on the moon, one of the engineers famously said, “You want a valve that doesn’t leak and you try everything possible to develop one. But the real world provides you with a leaky valve. You have to determine how much leaking you can tolerate.”

      Replace the word ‘valve’ with ‘Sun workstation’ and you will see that this is an iilustratoin of what is called ‘risk appetite.”

  33. Chippy says:

    I do worry about the risk of success. Risk is one of my own problems. The comment, “Humans are terrible judges of risk” is very true.

    The TED talks are very informative, but take a long time to watch. I plan on rewatching some at home, as there are parts I missed.

    What bothered me is the use of “are” instead of “is” when referring to data. I know the argument behind referring to a band using a plural rather than a singular (Journey are a good band. I love Glee) but it sounds so funny.

  34. Guest says:

    It’s true, people ignore the negative consequences in hope of a desired outcome. They will still respond to the email from a stranger requesting banking info in exchange for the possibility of a cash return.

  35. thedudea says:

    My method is to reduce risk.
    Number 1 on the list, is not to open accounts , are certainly don’t use real information,
    when signing into retail store sites .
    Never use cell phone numbers as customer number.
    Never call the number on the back of a reciept for survey.

  36. AID says:

    Good to know about data loss db, cycber security index, Privacy Rights Clearing House and IT risk management and Information Security risK model as NIST 800-39 risk Model.

  37. DJM says:

    Great section. Too many people do not realize the risk involved and how to protect themselves.

  38. JJS says:

    The facts on Risk Models are interesting!

  39. gfr says:

    risk management is hard to calculate but is a must for any business model

  40. nym says:

    So much to read and learn, alas so little time. Knowing short lifetime of a CD I better start backing up my favorite music!

  41. KLS says:

    Risk management..understanding what are you willing to lose and how safe you feel about it.

  42. April says:

    It would be inetrsting to know how and why the definition of a 100-year flood is tied to the cited 63.4% likelihood of one of this size occurring in any 100-year period.

    • Freddie says:

      I would like to know if my bank had a database breach. This information should be made public so that picking a financial institution would not be so risky!

  43. SQW says:

    Very good material, I do learn a lot from this training especially this section! Human being always want to avoid risk and as a result, the chance of winning is avoided too.

  44. Mr. E says:

    Great quote from Bruce Schneier: “If it’s in the news, don’t worry about it. By definition, news is something that almost never happens.”

  45. Nick Cusimano says:

    Risk management isn’t just for IT.

  46. Rob says:

    No one cares about backups, the risk is not being able to perform a successful restoration.

  47. tbot1234 says:

    Risk must be taken seriously by all; otherwise, you data and network are only as strong as the least serious participant.

  48. Scott says:

    Effective risk assessment is critical to determining the appropiate security level.

  49. fcarner1 says:

    Is there such a thing as “denial” as a risk mitigation strategy?

  50. Jim Bennett says:

    Thanks for the course. Useful and informative but should not be mandatory.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s