Many people in security are talking about “risk.” But like Inigo Montoya says, “You keep using that word, but I do not think it means what you think it means.” Perhaps the most important thing that I’ve learned that too many of us are doing terribly wrong is using probability in our formulas. Here’s why.
Most of the simple risk formulas I’ve seen used are based off probability * impact. That sounds reasonable at first glance, and I think it’s fair to say that most of us don’t give it a second thought. The problem is that in the edge case where impact is very large but probability is very low you end up with a low risk. That’s completely wrong.
Let’s take a look at the real-world event that illustrates this perfectly. On September 11, 2001, the unspeakable happened. An event that while entirely plausible and certainly in the catastrophic category in impact, never really made it as a ‘high-risk’ item because of its relatively low probability. The result was that we didn’t plan for it. A tragic mistake many wish they could take back.
The problem this approach illustrates is that if something has a high impact the probability basically doesn’t matter… it’s still a high risk. In security we need to understand this and stop with the bad math problems that illustrate how we simply don’t understand what we’re doing. Security folks have been accused of not really “getting” risk, and that’s fair. I think most don’t. Questionable (or just wrong) math doesn’t help.
If not probability, then what? The answer lies in something even more difficult to gather than the magic that is probability metrics. What we need to make the formula work is asset value. A simplistic formula of value * impact will give us an ‘at-risk’ metric that is usable for security. There are lots of interesting things in this discussion yet to be had. For example, how do we handle it when every asset owner wants to classify his or her things as ‘priceless?’ I’ve worked in one of those environments where everything was priceless, and it made those of us in security properly mad.
There also is the issue of giving assets a price tag. I would go out on a limb to say that many in IT simply don’t know but take bad guesses. This is why you want someone outside of IT to provide these answers. What are these assets you’re trying to protect worth to the enterprise? What is the impact if they are disabled/lost/stolen? I think these types of discussions are what security professionals, at all levels, need to have with the people who drive the enterprise. I believe when it comes to having concrete discussions about risk, the simpler the better.
In the end, we have to defend our ideas and decisions. We have to defend the math we use to tell our business counterparts why we’re making choices and recommendations. If these aren’t based on sound principles and understanding of risk, there is no hope of being taken seriously. As a security professional it’s your job to understand not only your limitations on the understanding of risk but also to responsibly formulate defensible calculations that drive your tactics and strategy. Using “probability” as a metric is not only black magic, but it’s going to give you the wrong answer.
And, let’s be honest with ourselves. We can’t afford another wrong answer.
