Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Management & Strategy

“Probability” – The Red Herring Killing Security

Many people in security are talking about “risk.” But like Inigo Montoya says, “You keep using that word, but I do not think it means what you think it means.” Perhaps the most important thing that I’ve learned that too many of us are doing terribly wrong is using probability in our formulas. Here’s why.

Many people in security are talking about “risk.” But like Inigo Montoya says, “You keep using that word, but I do not think it means what you think it means.” Perhaps the most important thing that I’ve learned that too many of us are doing terribly wrong is using probability in our formulas. Here’s why.

Most of the simple risk formulas I’ve seen used are based off probability * impact. That sounds reasonable at first glance, and I think it’s fair to say that most of us don’t give it a second thought. The problem is that in the edge case where impact is very large but probability is very low you end up with a low risk. That’s completely wrong.

Let’s take a look at the real-world event that illustrates this perfectly. On September 11, 2001, the unspeakable happened. An event that while entirely plausible and certainly in the catastrophic category in impact, never really made it as a ‘high-risk’ item because of its relatively low probability. The result was that we didn’t plan for it. A tragic mistake many wish they could take back.

The problem this approach illustrates is that if something has a high impact the probability basically doesn’t matter… it’s still a high risk. In security we need to understand this and stop with the bad math problems that illustrate how we simply don’t understand what we’re doing. Security folks have been accused of not really “getting” risk, and that’s fair. I think most don’t. Questionable (or just wrong) math doesn’t help.

If not probability, then what? The answer lies in something even more difficult to gather than the magic that is probability metrics. What we need to make the formula work is asset value. A simplistic formula of value * impact will give us an ‘at-risk’ metric that is usable for security. There are lots of interesting things in this discussion yet to be had. For example, how do we handle it when every asset owner wants to classify his or her things as ‘priceless?’ I’ve worked in one of those environments where everything was priceless, and it made those of us in security properly mad.

There also is the issue of giving assets a price tag. I would go out on a limb to say that many in IT simply don’t know but take bad guesses. This is why you want someone outside of IT to provide these answers. What are these assets you’re trying to protect worth to the enterprise? What is the impact if they are disabled/lost/stolen? I think these types of discussions are what security professionals, at all levels, need to have with the people who drive the enterprise. I believe when it comes to having concrete discussions about risk, the simpler the better.

In the end, we have to defend our ideas and decisions. We have to defend the math we use to tell our business counterparts why we’re making choices and recommendations. If these aren’t based on sound principles and understanding of risk, there is no hope of being taken seriously. As a security professional it’s your job to understand not only your limitations on the understanding of risk but also to responsibly formulate defensible calculations that drive your tactics and strategy. Using “probability” as a metric is not only black magic, but it’s going to give you the wrong answer.

And, let’s be honest with ourselves. We can’t afford another wrong answer.

Written By

Click to comment

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

CISO Strategy

Cybersecurity-related risk is a top concern, so boards need to know they have the proper oversight in place. Even as first-timers, successful CISOs make...

Management & Strategy

Industry professionals comment on the recent disruption of the Hive ransomware operation and its hacking by law enforcement.

Management & Strategy

Tens of cybersecurity companies have announced cutting staff over the past year, in some cases significant portions of their global workforce.

Risk Management

A threat-based approach to security often focuses on a checklist to meet industry requirements but overlooked the key component of security: reducing risk.

Management & Strategy

Microsoft making a multiyear, multibillion dollar investment in the artificial intelligence startup OpenAI, maker of ChatGPT and other tools.

Risk Management

CISA has published a report detailing the cybersecurity risks to the K-12 education system and recommendations on how to secure it.