All risk
management methodologies, whether qualitative or quantitative assume that risk
is the product of impact (what will the loss be if the event occurs) and
likelihood (how likely is the event). Using this methodology events which
are catastrophic but rare, and events which are insignificant but almost
certain may both be labelled as medium risk. And the beauty of medium
risk events is that they are almost always accepted by the business.
The problem is
that this analysis is fundamentally flawed when considering security.
The risk
management methodology is designed for random and accidental events. It
is well understood how often buildings burn down. It is well understood
how long the average power failure will be. This is true because
actuaries have been recording tables of unlikely events for more than 100
years. But IT security isn’t old enough as a discipline to have actuarial
tables, which is exactly why you can’t buy anti-hacking insurance.
The insurers know
something that businesses haven’t worked out yet. Attackers completely
control the likelihood. If they have decided to attack, the likelihood is
almost certain, no matter how it’s been assessed in a risk methodology. Being
hacked isn’t accidental and it isn’t random. Remediation of all security
vulnerabilities with high impact rather than just high risk is required to
improve security.
But if you ask an
experienced security specialist to undertake a security review with a current
and appropriate checklist, and then you act on all the high impact findings,
it’s plausible that you will be more secure.
Phil Kernick Chief Technology Officer
@philkernick www.cqr.com
Phil Kernick Chief Technology Officer
@philkernick www.cqr.com
