Tuesday, March 22, 2011

Risk management: what do it mean?

Alex Hutton has bizarre response to my last post, full of ad hominem attacks, even implying I’m a bad pen-tester. It’s a bit weird.

In any case, the core of disagreement is over how we use the term "risk management", as shown in this comment:
what Rob doesn’t seem to understand is that post-incident risk management is kind of like causal analysis, but (hopefully) with science involved

I’ve never thought of incident analysis aka. casual analysis aka. failure analysis as part of risk management. Indeed, it’s the unhealthy obsession with incident analysis that is what’s wrong with cybersecurity.

Most people assume that risk management is about preventing bad things from happening. That’s not true. A "risk" could mean good or bad, and "management" means, well, managing risks, not eliminating them. As the Wikipedia article on risk management says, it’s not only about minimizing unfortunate events, but also maximizing opportunities.

That "maximizing opportunities" never comes up in cybersecurity risks management, which is why cybersecurity is so out of step with the rest of the company. If cybersecurity experts had their way, they wouldn’t let the website go live until they’ve made sure that it’s impossible for hackers to break in. But from the CEO’s perspective, that delays time-to-market: the risk that competitors come to market first is a bigger risk than hackers. When the CEO makes the website go live, even though you’ve warned him of obvious vulnerabilities, it means he understands risk management better than you do.

Everybody does incident analysis after a hacker breaks in. Nobody does incident analysis after the website was delayed because of cybersecurity concerns. Yet, from the CEO’s point of view, these are equal risks. The fact that cybersecurity focuses on one, but not the other, shows how out of touch our industry is.

Another way of defining "risk management" is "uncertainty management". If you wait until the incident is over, then you aren’t dealing with uncertainties anymore. The fascinating thing is to discuss what’s uncertain.

For example, as Alex points out, nobody trusts that TEPCO (the company operating the Fukushima power plan) is telling the truth. Alex says that means we can’t do risk management. I say the reverse: this is a great example where the government, businesses in the area, and average citizens have to make decisions based upon the uncertain information TEPCO gives them. They can’t wait until the incident is over -- they have to act now. Government policy makers have to take the information TEPCO gives them, make guesses about TEPCO’s honesty and competency, and make decisions, for example, how far from the plant people should be evacuated.

That’s risk management, not post-incident analysis.


Anonymous said...

Great points to help shift one's viewpoint and thinking.

it can also be thought of in terms of ROI: you're balancing investing in locking down the site vs the lost opportunity costs of delay.

At which balance point are you maximizing gain and minimizing risk.

Robert Graham said...

You mean "maximizing gain and minimizing loss"

Sorry for being pedantic :-)

Unknown said...

Back to You, Rob:


Anonymous said...

I'm certainly not an expert in these things, but I believe both you and mr. Hutton are right.

Risk analysis can be done at any given point in time. And it will always be on the information you have now, not on the information you could have.

Incident management however is a process of defining what to do when a risk becomes a reality and you can only evaluate that after the fact.

I'm sure in the coming months we will see people getting blamed for not properly following procedures or not accurately defining them. You can only do that if you have the information and I believe that is what mr. Hutton made.

Anonymous said...

I meant to say 'meant' in the comment above, not 'made'.

Anonymous said...

No problem, pedantic is what I am here for. ;)

skmft40@rmo56h said...

Always good to have a healthy disagreement, I think you two are closer in opinion that you think. But in all honesty Alex is talking about risk from years of research and experience in the field and I'd guess you're talking about it from a more technical security background. Also, I'd like to refer you to Gunnar's article (an article I had tossed at me when I compared risk and uncertainty),

Anonymous said...

Can you please share o give me a scenario of Risk management.