Yesterday, I was re-reading the FAIR book, Measuring and Managing Information Risk: A FAIR Approach, and something jumped out at me that I’d forgotten the first time I’d read it. The notion of getting hooked on the possibility of an event. Of course, the FAIR book poo-poos all over the qualitative risk assessment – and, from their perspective, with good reason – however, the point they make about possibility vs. probability is a good one to remember.
This notion of “well…it could happen” harkens back to one of these emails a few days ago when I was talking about the “kitchen-sink scenario” (even though I might not’ve quite called it that at the time). But it also should recall the story of Chicken Little from yesterday too…
…because, at this very moment, it is possible that…
…you might be hit on the head by a falling acorn…
…a bird might poop on you (assuming you’re violating the stay at home advice)…
…or you could win the lottery (assuming you bought a ticket)…
…or, that little red-haired girl you were too afraid to ask out on a date in school just might be standing up against the lamp post waiting for the same bus as you, Charlie Brown.
Probable AND relevant?
While we don’t think about it very often, this fascination with the “what if” gone too far is really what’s behind the threat-based approach to security. As long as we can think of threats, then we need to mitigate them.
But…funnily enough, the more controls you add, the more threats you create…from the application of the very controls you’re so vehemently vomiting around the place—whether you realize it or not. That’s the basis of understanding systemic risk…
…and it’s also something that most approaches to risk assessment don’t account for very well. Because, well…because it’s kinda hard.
That is, it’s hard if you don’t have a good way to approach it that helps you focus on the probable of the possible so that you’re responding to the relevant.
Yesterday I also found a quote from the 18th Century English author Samuel Johnson’s novel Rasselas: Prince of Abyssinia. In it, a mechanical wizard who had already invented a great many things for the pleasure of the Prince was talking about the amazing potential of being able to fly. However, despite the Prince being the beneficiary of his previous creations, the Prince countered with objection after objection as to why it would be impossible for man to fly.
Even the strongest arms will tire.
You won’t be able to go very far.
If you go as high [as “the artist” suggested to make it worthwhile], you won’t be able to breathe.
It would be too easy to fall.
And on…and on…and on…and on. Until finally, “the artist” replies, “Nothing will ever be attempted if all possible objections must be first overcome.” Which is the quote that basically sums up the fallacy of a threat-based approach to security.
So, the job of the risk assessor is to separate the probable and relevant from the possible—not based on their own views and feelings of a particular threat. And not even based on the potential likelihood of it occurring. All that comes much later.
The first thing that must be done is figure out which ones are most related to the objectives that matter. The objectives that are owned by the customer of the risk assessment—be they business, IT or even another member of the security team. But the point is that they are owned by someone other than the person doing the assessment.
Because the customer is the person who either owns the risk or who is acting on their behalf to figure out whether the scenario, the approach or the context of the objective is sufficiently different to require a new course of action. So, in fact, there are two decisions that must be made in relation to any potential risk assessment:
- is the potential impact of a situation, scenario or event sufficient to warrant further consideration, and
- if it is, then how does that impact alter my ability to achieve what the objective’s owner seeks to accomplish?
Everything else done as part of the risk assessment needs to be focused on enabling those two decisions to be made. Of course, that’s what can end up being a quagmire that sucks you down into the depths of organizational and technical complexity, warping your perspective and your ability to communicate to a degree that you can’t connect with the customers you’re supposed to support.
Unless….unless you have a system for keeping you safe, allowing you to tap-dance around its edges with more confidence than Sammy Davis Jr. Now, maybe you already have a system that works for you, and if you do, then that’s great.
However, if you do have such a system, does it seamlessly integrate with creating the backbone of an integrated and effective security program? Or does it simply result in islands of information based on assumptions buried beneath the brow of its author and locked far, far away from anyone else who might use – or even question – its results and recommendations?
To make sure your assessments are alive, ready to inform and enable the future decisions of both yourself and the rest of the team, you’re going to need an approach like the one I describe in the pages of the upcoming May edition of Archistry’s Security Sanity™ print newsletter. However, this newsletter only goes to those who are already subscribers before the hard deadline—just under 3 days from the time I write this email (2 days, 19 hours and change, to be exact).
So….if you don’t wanna be left standing on the jetway watching this silver bird take to the sky, you’d better dash on over to this link, pronto:
Andrew S. Townley
Archistry Chief Executive