Security Experts:

Connect with us

Hi, what are you looking for?


Risk Management

Why Depending on Cyber Risk Assessments is a Risk

Just this past week, a recent study hit the news that concluded – as many studies have before it – that the Transportation Security Administration (TSA) is fundamentally not effective at making air travel more secure in a post-9/11 world.

Just this past week, a recent study hit the news that concluded – as many studies have before it – that the Transportation Security Administration (TSA) is fundamentally not effective at making air travel more secure in a post-9/11 world.

One of the major failures? Their periodic screening process.

It seems that, for a variety of reasons, their methods are not only causing the ineffectiveness, but themselves are a source of additional security risk above and beyond the threats they’re trying to stop.

As I engage with customers around industry, I see the same kind of approach being duplicated in cybersecurity too and it’s having the same kind of effect on companies trying to get safer.

Problems With Cyber Risk Assessments

For a long time now, it’s been a widely accepted “check the box” cybersecurity practice to engage in periodic cyber risk assessments designed to give management assurances that their cyber defenses are adequate or not.

The central issue is that any cybersecurity process that relies heavily on periodic risk assessments as an indicator of its security status is not only giving the company a false sense of how safe they are, but it’s reflecting energy and resources away from discovering, mitigating and/or preparing for real active and immediate cyber threats.

Let’s take a look at just a couple of the areas of concern.

Polaroid Security

A friend of mine recently told me about an experience she had with an online dating site. She’d been corresponding for about a month with a guy she had really come to like. Plus, from his picture, she really felt like he was her type; rugged, handsome and dark-haired.

When they met in-person, let’s just say things had changed. He was at least 15 years older than his photo, his hair was now white, had gained about 40 pounds and started smoking.

When it comes to cybersecurity, many companies that engage in periodic or annual risk assessments and feel comfortable with the picture that comes out of it are also flirting with disappointment – and maybe even disaster.

The cyber threat landscape changes almost hour to hour. Certainly every week, new threats arise and old ones change. They have new targets and achieve new ends to their means.

For the companies themselves, risk is also “alive” and dynamic. There are new products, new websites, customer portals, new locations and of course new technologies being used all the time.

And that’s where the problems with risk assessments start.

The risk assessment is just a snapshot in time. Companies often pay lots of money to have their internal risk management teams, managed service providers, expert consultants and security vendors assess and report on their cyber risk at point in time. Typically, this occurs annually.

But that picture changes almost as soon as it’s read. In fact, because many of these assessments take months to perform, the risks they call out (or not) have often changed by the time the assessment is delivered.

Thus, when the report is finally analyzed and assessed, the company goes off from there making dangerous assumptions and having their alertness to possible new threats lowered by the sense that they have a good grasp of their risk profile.

The Cocktail Party Effect

Have you ever been talking to a couple of people only to tune them out when you hear something of interest being said by someone involved in a totally separate conversation happening near you in the same room? Of course you have. In fact, we all have.

Back in the 1950s, researchers began to identify something known as “The Cocktail Party Effect.” Put simply, it’s our brain’s ability to filter out one set of signals to focus on a single signal that grabs our attention.

In the cyber world, this phenomena leads to a big problem when it comes to risk assessments.

Beyond a false sense of security, often companies will use these reports to set cyber defense strategy in motion for security operations, hardware and software acquisitions, legal counsel and more. A kind of throwing good money after bad such that there are real long-term negative effects from just one single risk assessment.

It seems that the risk assessment itself is kind of like hearing your own name spoken at a noisy cocktail party; it uses our tendency toward selective attention in some situations to tune out other voices and hear only what’s being said about you in that other conversation.

So what’s the alternative? A program of “living” cyber threat intelligence across tactical and strategic levels. In other words, the analysis that comes from actively and continuously monitoring your cyber risk profile across all parts of your business operations versus the specific threats out there that match it.

Back in 2010, Marijn Ornstein, frustrated security boss of Amsterdam’s Schiphol Airport, said:

If you look at all the recent terrorist incidents, the bombs were detected because of human intelligence not because of screening … If even a fraction of what is spent on screening was invested in the intelligence services we would take a real step toward making air travel safer

Just as with the TSA and air travel, there’s ample evidence and support in the cyber domain for the use of intelligence approaches, but the industry and our governments are currently too slow in learning the lesson.

Meanwhile, businesses line up for screening, just as they’ve been doing, while the criminals continue to go around and get through undetected.

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

CISO Strategy

Cybersecurity-related risk is a top concern, so boards need to know they have the proper oversight in place. Even as first-timers, successful CISOs make...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Cybersecurity Funding

2022 Cybersecurity Year in Review: Top news headlines and trends that impacted the security ecosystem

Risk Management

In this virtual summit, SecurityWeek brings together expert defenders to share best practices around reducing attack surfaces in modern computing.

Application Security

Password management firm LastPass says the hackers behind an August data breach stole a massive stash of customer data, including password vault data that...

Application Security

Microsoft on Tuesday pushed a major Windows update to address a security feature bypass already exploited in global ransomware attacks.The operating system update, released...