Risk Management is a Utopian Kool-aid
Update: It should be noted that I am a believer in risk management, especially quantitative risk management, but simply want to highlight some of the effects that bounded rationality has on our ability to manage risk. I want to push us towards a more optimized view of rationality and risk management.
When we think of how to protect our most sensitive data we have one of two approaches. Security is a tactical approach and risk management is a strategic approach. Security implies the implementation of sound risk management practices. While technical people like to talk about ‘vulns’ it is the risk management people who wax philosophically about long term strategy, data centric vs system centric approaches, and drink from the fountain of Utopian kool-aid.
I too have paid my dues and talked about risk management in its perfect form. This approach involves metrics, models, threat vectors, CIA triad, and a multitude of other factors. Risk management was married long ago to the maiden of Capability and Maturity Models for long term vitality. Combined, these two go hand in hand to protect data from the foes. Or so the story goes.
Now, I’m not about to become a risk management heretic, but as Mahan Khalsa says in his infamous sales books, “let’s get real!” One thing that risk management does not (typically) take into account is that people, humans, are irrational beings. When it comes to assessing risk, managing hazards, making decisions, managing a crisis, navigating office politics, and altering perceptions we have a roadblock called emotion. Within emotion are all the factors that influence our decision making capabilities, such as: fear, uncertainty, doubt, misdirection, and oh so many more.
History has shown that human fear the small possibility of a quick immediate death much more than the larger possibility of a long term slow death. The World Health Organization (WHO) reported that from 2003 – 2009 the total number of global deaths from Avian Fluwas 257. That’s not enough to even be a statistical anomaly but we saw it on cover of just about every magazine and newspaper around the world for a few months. The WHO does not even rank influenza, of any sort, in the top 10 causes of deathby the WHO. In fact, chronic heart disease killed 7.2 million people in 2004, and road traffic accidents killed 1.27 million people. We worry more about contracting a rare form of the flu and dying than we do of driving to the grocery store on a Friday night.
Proper MetriCon people might say that numbers don’t lie or have emotions, but the question is, “how good are those numbers?” I recall one year an analyst group put out a press release saying that it costs companies $200 per lost credit card. The following year many vendor companies ran with that number and sold their product as costing only $100 per record to protect. This could result in a 50% savings. The problem came the following year when the analyst firm revised their numbers to say that it only cost companies $80 per lost credit card. (Numbers have been rounded and changed to protect their creators.)
I have been sold on the need for more metrics in risk management and security, but the problem is we need to temper our reaction to data the same way we wait for Service Pack 2 before purchasing software.
We need to temper our risk management approach to one that accepts the hesitation of people to make precise and accurate decisions, especially if they are not satisfying an immediate need. I’ve spoken with many PCI Qualified Security Assessor (QSA) companies and many agree that companies focus on satisfying compliance first and push off risk management for a later date, that sometimes never arrives. The economics do not even need to matter as long as the immediate need is being satisfied.
People would rather spend more money now to satisfy compliance even if they could spend less over the long term to pave the road for a sound security strategy. Why? Well, there are many reasons but some of them include:
- High turnover
- Annual management based objectives (MBOs)
- Immediate need for “compliance”
- Lack of enterprise visibility
- Siloed departments/divisions
- Lack of information/education
It is the lack of awareness, information, and education that causes many companies to ignore the long term death and focus on the short term threat. This can be like putting a band-aid on a bloody stump and calling it a mere “flesh wound“.
We need to accept that people are going to make irrational decisions and devise new and creative ways to re-educate them about the decisions they are making. I think that better and better metrics are certainly a way to get there, but we are a long way from the panacea of payment security and risk metrics.
Related Posts
For me it’s about people and processes with 1st priority and then comes technology second. I wrote several articles and a step by step instruction about Risk Management in IT on my blog at http://ITRiskSpace.com
Visit and let us know what you think.
Enjoy
-Andreas
I’m afraid I couldn’t disagree more. Just because the average person is disinclined to do the “right thing” doesn’t mean that we shouldn’t continue working to guide them to that thing. Yes, this implies a certain degree of subjective omnipotence, but I think you said it right in that these things are for the long-term good.
In the spirit of your post, however, I’d acquiesce that we need to be doing something different. This is where I find the PCI DSS such an egregious regulation. It doesn’t really move us forward toward addressing the long-term issues. In fact, it seems to barely scratch the surface of the short-term issues. Breaches keep happening, and they keep getting bigger – hardly an endorsement for the standard.
What we need is a complete shift in thinking, a move to a different model, that accomplishes the long-term goals without using the same old mantras and carrots.
Ben, we ended up blogging about a similar topic and I didn’t even know it.
I am certainly not saying that Risk Management is bunk. I’m a *strong* believer in RM and the CMM discussed in the post. I just think we need to alter our perception of RM from that of a scalpel to that of a beef cleaver. We always want the best for out people but end up facing the world of emotion and irrational thought.
What is it that goes into our metrics? When we ask someone, “what application is the most critical to your business?” many say E-Mail! Though it may be important, I’d rather say the systems that keep the cash flowing are more important. I agree that we need to guide people in the right direction, but what is that right direction? With different business units touting different needs for a very limited number of resources, who is to say what the “right” direction is?
I’d love to live in a world where we all have infinate volumes of information at an infinate level of understanding, but we do not. So, just like many CEOs, we must make decisions based on the info we have at hand and our go with what the data and our gut tell us. Sadly, this is not a perfect approach.
I advocate for better data, better information, and better guidance for the masses so they can make better risk based decisions.
As for the PCI DSS, you know I feel that it is *one* good approach, but I also feel there are many others. If a company has a sound risk management method that focuses on the protecting against the electronic and paper theft of payment card data, they are fulfilling the spirit of the standard. The path to this goal may come in many forms.
@admin
I’ve long been a fan of OCTAVE from SEI/CERT (http://www.cert.org/octave/) because it does what you’re talking about. It puts the business heads in a room, walks them through a reasonable process, and in the end produces a strategic risk-based approach to managing the organization. Unfortunately, very few organizations seem to value this approach, which is really too bad.
Where I think your comments bear tempering is with regards to the amount of data we need. I think our friends from RMI would point out that in the world of Bayes, we don’t need a whole lot of data. Hence, FAIR makes for nice risk measurement. Combine this with your favorite CMM and off you go.
All this being said, I think we agree that the model is broken; that we need a new way of thinking. People simply do not get tech risk n the same way that they get physical risk. And, even then, we see disproportionate focus on low probability events instead of the high probability events. :S
Interesting thoughts here and both of you have touched on a topic that I would like to blog based on some recent work I have been doing. I think it is possible to talk about risk in both the context of a scalpel and meat cleaver – in the same conversation. Those in the actuarial profession have been doing this for years. In addition, given the fact that more and more companies are trying to manage operational risk better (which a lot categorize information security risk as operational risk) – being able to articulate to management what they should invest or set aside now and why is very important.