Bad Decisions Made Faster: How Qualitative Security Risk Assessments Are Making Things Worse

[InfoSec News <alerts () infosecnews org>]

https://blogs.rsa.com/bad-decisions-made-faster-qualitative-security-risk-assessments-making-things-worse/?utm_source=rss&utm_medium=rss&utm_campaign=bad-decisions-made-faster-qualitative-security-risk-assessments-making-things-worse

By Derek Brink
blogs.rsa.com
March 19, 2014

Once there was a leadership team that was exceedingly fond of using risk 
assessments to make business decisions about information security. The 
team cared little for detailed discussions about threats, vulnerabilities, 
technical exploits, or a host of potential security controls. They wanted 
their subject matter experts on information security to explain clearly 
how their recommended investments in security controls would actually 
reduce the company's risk, and they ultimately wanted to make decisions 
based on the amount of risk the company was willing to accept.

Many security professionals, as well as many security vendors, tried but 
failed to communicate in this way and fell back into their old bad habits, 
frustrating everyone. But one day some pretenders came along, who let it 
be known that that they could conduct qualitative (and even 
"semi-quantitative") security risk assessments that could be easily 
understood by the leadership team. Their security risk assessments were 
presented using bright colors, and had the property of being understood by 
virtually everyone. The pretenders were supported by a third-party advisor 
and highly trusted by the leadership team, who vouched publicly for their 
approach.

Does any of this fractured fairy tale sound familiar? It's based, of 
course, on Hans Christian Andersen's classic story, The Emperor's New 
Clothes. You can write the end of the story yourself. In spite of their 
misgivings, everyone goes along with the charade -- not wanting to appear 
stupid or unfit for his position -- until someone has the courage to point 
out the truth.

That's exactly what I'm doing here: Pointing out the truth about the 
qualitative and "semi-quantitative" risk assessments that have become so 
popular. They manifest themselves in the 5x5 "risk maps" that are 
typically visualized in vibrant green, yellow, and red. Everyone seems to 
be doing it—even security vendors are proudly incorporating it into the 
management consoles of their offerings.

Let’s define some terms:

[...]

--
Find the best IT Security talent without breaking your recruiting budget.
Jobs cross-posted to Simply Hired, Facebook and LinkedIn.
Hot InfoSec Jobs - http://www.hotinfosecjobs.com/