Risk assessment, as currently practiced in information security, is dead. I'm not saying we need to eliminate risk...
management altogether as a concept, but it needs a complete overhaul to deal with risk in the 21st century. Our concept of risk as a static condition must evolve. Information security risk should be viewed as organic and perpetually changing; we cannot assume we have all of the facts necessary to assess it.
To begin an overhaul of risk management, we need to review its origin. Current risk management practices were inherited from other fields such as insurance. Insurance companies need to calculate the risk associated with providing coverage for possible losses from fires, floods and other natural events. Traditional risks are far easier to comprehend than information security risk. We understand the risk involved with fire and floods instinctively. These types of risk cause involuntary reactions and emotional responses because they are hardwired into our brain to protect us from physical harm. Information security risk is different in that it cannot be seen, touched, felt or heard; it has no obvious physical ramifications to our safety.
The technology for finding exploits has improved so quickly that our old-world risk assessment cannot keep up.
I experienced this contrast between traditional risk and "virtual" risk during a presentation of our annual penetration test results. I didn't get much response from the audience when showing how our tests brought down a particularly vulnerable host. But when I clicked to advance the slide and there was a picture of our pen tester standing in a restricted area as a result of social engineering, the response was immediate and visceral even though the risk level was similar to the technical issue on the previous slide.
Technology has created a virtual environment that changes the rules for risk assessment. Risk is defined as the probability of an event happening times the impact of the event. What happens when you don't know that the event even exists? For example, in the building of a bridge, we know that the risks identified during the design won't change drastically over the life of the bridge. The risks identified when Windows XP originally shipped changed drastically over the life of the operating system. The technology for finding exploits has improved so quickly that our old-world risk assessment cannot keep up. Would a risk assessment performed in 2001 for Windows XP include the risk of a phishing attack?
Why are the risks evolving so quickly for electronic systems? This comes down to simple mathematics: 20% of the world's population is using a computer on the Internet. The odds of one of these people finding a critical vulnerability -- even by accident -- are fairly good and increase more if they're intently looking for vulnerabilities that could generate a profit.
I learned just how creative people can be when my company blocked an online auction website due to a policy change. A few users found ways to bypass the blocks by using search engine caches or by accessing alternate sites in other countries. I would not have regarded any of these users as "hackers." Our policy was in their way and given enough time and determination, they circumvented it.
Formal risk assessment is a useful tool to acquire information and mitigate traditional risks. It's not useful in determining an overall information security strategy because the risks change too quickly with technology. Information security professionals must develop a learned response to technological risks that is similar to our response to physical risks. It is only then that they can react quickly enough to ever changing threats and secure their organizations' computer systems.
Joseph Granneman is CTO/CSO of Rockford Health System in Rockford, Ill.