Wednesday, October 29, 2008

Schneier is on to Something

I usually don't read Bruce that often, but I came across a post about Risk Management making Sense. My take away was that, we can inherently perform risk management when confronted with taking meat from a lion on the African plains in 10,000 BC. But are challenged with more complex threats and vulnerabilities.

I have been having some deep conversations with my wife and others about better ways to measure and manage risk. My recent contention is that with so many changing and evolving threats, should we just presume there will be a threat when a vulnerability is presented? Or one generic threat that could be tied to just about anything (Hacker Compromises System)? I don't know.

Getting back to the deep conversations, we try to draw parallels to cars. There are only so many things that can happen to a car, and only to varying degrees. We, as the (supposedly) responsible operator, take certain steps to reduce risks to the system (its snowing, drive slower or that tree looks like it could fall on my car, perhaps I shouldn't park there). The insurance company can infer certain things about how the car will be operated based on demographics, statistics, etc. A 16 year old football star will operate the car differently than a 42 year old soccer mom. We may also be transporting gold bars in the trunk of the car, but the car insurance people can't deal with that because they are insuring a 1986 Toyota Tercel not 37 million dollars in gold bars.

In this story, we only ever really care about impact (my car's been stoled with gold in the trunk). But we wouldn't be driving an '86 Tercel with all that gold in the trunk. My stuff would be in an armored convoy with air support (ala Italian Job). One could argue that putting your gold in a Toyota is a bad move (it is!). However, inside organizations all over the world, it is happening right now. Because of the intangibles that aren't or can't be (easily) measured.

Gold is something we can assign a value to, at the time of writing $749.11 an ounce. Data that could be turned into Information and then Knowledge, generally has only intrinsic value to the information owner (IO). They just need a place for it to live and be processed. The System Owner (SO) can't assign an discrete value to the information, because the SO doesn't know the costs associated with creating it. Further, SO doesn't know possible damage in case of leakage, corruption or inaccessibility. The SO has more to worry about in the face of inexperienced staff (the 16 yo jock), problems with the data center (tree falls) or any other metaphor you want to assemble.

My end point here is: how do we measure risk in a way that says what needs to be said and warrants the controls needed (and justify buying a newer, more secure car; like the Mercedes with the laser cut keys).

1 comment:

Christian said...

It is a difficult thing to do, but I believe that a lot of smart people are putting their heads together to make it easier. In addition they are also providing frameworks and common terminology so other people can leverage this work too (I'm mainly thinking of FAIR here but there are others).

The primary reason I'm commenting though? '87 Tercel was my first car.. you gave me massive bouts of dejavu!