I get asked to justify my existence and what I provide as a return on investment. As part of that, I have tried to quantify the value of an information security or risk management program. If this were a normal blog, I would launch into a diatribe replete with all the necessary management buzz words, catch phrases and witty clichés. This is not a normal blog, so if that is what you are looking for then you can move on.
Much of the time information system risk management is based on existing risk assessment and monitoring frameworks, either insurance or financial or whatever. My opinion is that those don't work. Mainly, because those metrics are difficult for everyone to understand and they are basically rigged out to screw a customer. In the information systems world, the risk management framework needs to HELP a customer. I could be totally wrong though, but these frameworks are developed by corporations with a profit motive (not that there's anything wrong with that).
The other weak link in the chain (for me) is that even for quantitative frameworks, there is still room to fudge the numbers by a single person or data input. When you are assessing a mortgage for risk there is a history for a person, history for the house and the general climate of the market. All of which let us down in the recent past, due to securitization, greed and complicated schemes to make it all look good. There isn't a lot of room for that in the information security world.
I know what also isn't working - technical numbers. Number of viruses caught by AV, IDS true/false positive rates, percentage of environment patched. These don't work because MBA can see a 90% as pretty good. The problem with this is that even when you are at 100% there is still an unknown number of zero-day exploits in deployed software and there is still the element of human failures (lack of knowledge, misconfiguration and outright theft).
This wasn't supposed to sound all doom and gloom though. I am pointing out that somehow we as a community are doing something wrong. But please comment if you have had success in this arena. I have not seen it yet.
I have been a fan of Eli Goldratt and the Theory of Constraints for about 10 years now, and I would love to figure out a way to apply ToC to information system risk management. You will notice I didn't say information security because a holistic risk management program includes operational and security risks.
For a couple of reasons: it is flexible for a dynamic environment, it depends on the improvement processes and the measurements for success are easy to understand.
Where's my white board?