Manage Learn to apply best practices and optimize your operations.

Why you shouldn't wager the house on risk management models

Risk models can provide a way to communicate with management but don't fall into the trap of thinking that risk scores are a silver bullet for security. As Mike Rothman explains, risk management metrics are helpful at budget time, but be wary of putting all your eggs in the risk prevention basket.

When you've been in the security business as long as I have, you see lots of cycles and become a firm believer in the pendulum. For a long time, security was the "cool kid" in class. Everyone wanted to be its friend; the venture capitalists were throwing money at the market and new-fangled "security officers" were the new power brokers in IT land.

The reality is that nearly all risk-modeling approaches force you to make estimates based on assumptions that are in turn based on estimates. It's kind of like building a hotel in a swamp.

Then CFOs started questioning all this "investment" in security. CEOs wondered why their companies weren't more secure now than five years ago. If anything, they felt less secure. We, as an industry, became enamored with the technology and forgot to focus on how security affects the organization. Ultimately any impact we have as security professionals has to be about money: we either make money or we spend money..

Now the pendulum is swinging toward risk. We don't focus on eliminating vulnerabilities or threats; we are all about mitigating risk. Why? Because risk is an economic metric, and as I mentioned before, to executives, it's all about the money.

The CFO and other moneymen (and women) justifiably want to see quantification. We say we have "reduced" risk, but what exactly does that mean? How do you speak the language of risk? Ultimately it gets back to perhaps the hardest thing we as security and risk professionals need to do, and that's to quantify what we do.

Traditionally, the risk equation was "Risk = Loss * Threat * Frequency" where:

  • Loss is the economic value of lost revenue due to a security issue;
  • Threat is the likelihood (as a probability) that an event would happen;
  • Frequency is how often such an event would happen.

Some risk modelers maintain that it makes sense to assess the risk on key assets and work to reduce the threat or the frequency of the attack happening. A number of frameworks have been built to help model and quantify risk, including OCTAVE and FAIR:

  • OCTAVE -- As described on its Web site, the Operationally Critical Threat, Asset, and Vulnerability Evaluation, or OCTAVE, focuses on organizational risk and strategic, practice-related issues, balancing operational risk, security practices and technology. It is asset-driven, self-directed and looks at security practices only as a means to reduce risk to the most important assets of the organization.
  • FAIR -- Factor Analysis of Information Risk is a methodology that focuses on understanding, analyzing and measuring information risk. By isolating the factors that comprise risk and then measuring, simulating and analyzing what could happen across a number of risk scenarios, FAIR aims to provide a standard context to discuss risk in an organization.

However, spending considerable resources to build a risk model may not be the best use of an organization's time. The reality is that nearly all risk-modeling approaches force you to make estimates based on assumptions that are in turn based on estimates. It's kind of like building a hotel in a swamp. You need to understand the numbers are just numbers. Seriously, the risk number could be 42 or it could be 142,000, it doesn't matter. What matters is that is whether the security organization can track a consistently derived metric and show improvement over time. There is no real precision in a risk quantification; it's all about measuring the relative risk.

A lot of risk bigots believe that it is possible to gather enough data to get a good feel for frequency and threat numbers. They figure the insurance guys do it, so why not us? Actuaries know that I'll get into 3.7 car accidents over my lifetime based on where I drive, what kind of car I have and my general demographics. Security pros, however, just don't have that level of data, nor is it cost effective to try to gather it.

For more information:
In this tip, contributor Khalid Kark discusses five steps to building information risk management frameworks.

Security management expert Mike Rothman offers advice on the most effective ways to manage and access security risks, threats and vulnerabilities.

In this expert Q&A, Mike Chapple discusses the relationship between open port range and overall security risk.

The real point here is that risk is a means to an end. The focus should be on why you are actually calculating your risk. Is it to get money for new initiatives? Is it to set a baseline that the organization can manage against? I recommend doing the least amount of modeling in order to achieve your goals and then get on with things. Calculating risk to the Nth degree doesn't keep attackers at bay.

What security managers should strive to do is get a relative idea of the risk to each major business system that keeps the business operating. And any kind of security person worth his or her salt should already know what major systems are most important and what the potential risks to those systems are.

Thus the risk model provides the security group and management alike a common metaphor to discuss the investments needed to avoid the risks. Period. Talk in business terms, saying, "If we make the following investment, we can reduce the likelihood of a bunch of bad stuff." The executives will scrutinize your numbers and if they believe you, then you'll get the money.

Do not, however, fall into the trap of thinking that risk management and quantification is a silver bullet to solve any of your ills. It allows security to be discussed in a language management understands, and there is definite value there. But we as security professionals are still on the hook to get our jobs done, and no risk score is going to help us do that.

About the author:
Mike Rothman is president and principal analyst of Security Incite, an industry analyst firm in Atlanta, and the author of The Pragmatic CSO: 12 Steps to Being a Security Master. Rothman is also's expert-in-residence on information security management. Get more information about the Pragmatic CSO at, read his blog at, or reach him via email at mike.rothman (at) securityincite (dot) com.

This was last published in December 2007

Dig Deeper on Risk assessments, metrics and frameworks

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.