Å.R.E.

Day 1 of this year's Åre Risk Event. My personal key take-aways.

Accidents will happen. Social science holds the answer.
Making cities resilient. Disasters are not 'natural'.
Build back better. Guidelines for reconstruction.
Revisit Maslow in the face of existential risk. Courageous individuals with visions.
Bring educators, practitioners and researchers together.

Local readiness, national platforms, UN directives.

Lots of activity in the public sector. How do we define and measure effectiveness?

mind those bookmarks

So, how does one maintain a Delicious bookmarks collection?

I'm pretty sure it will involve more than just creating additional bookmarks and hoping the old links still work...

A few years old and at 144 links it's no longer rudimentary enough to ignore. Apparently, I've managed to use well over a hundred tags, a ridiculously detailed level. This in itself would justify a mild make-over.

And no, free-text web searching would not do the trick. I find my bookmarks useful. Your mileage may vary.

do you accept?

The easiest way to treat a risk is not to.

Risk acceptance is perfectly reasonable in many cases where it would be too expensive or even impossible to mitigate a risk. Exposing a system to the Internet carries substantial risk and yet we do so because that's where potential customers are.

Who has the authority to accept risk? It's down to policy, ownership of systems and ultimately management structures.

Risk acceptance should be a conscious, documented decision and not just lack of action.

on intersubjectivity

We cannot measure information risk. Not in monetary terms, not on any quantitative scale.

We can (and must) assess risk through lenses available, but to achieve business relevance we need an element of intersubjectivity. A metric shouldn't depend on what individuals happen to be involved.

Therefore, we need methods based on a common understanding of basic concepts. We could take a vote on what constitutes a "threat" but the fact that we need to take a vote is a reflection of low industry maturity.

objective it isn't

With all its deficiencies - biases, incompleteness and errors - a systematic SRA is our best hope for tackling security risk.

If we document what perspectives are represented, how risk is constructed from components, how likelihood is quantified - if the SRA is transparent - the reader will know how to use it, what to trust and what to improve.

When I as your assessor do my level best with adequate resources and you as system owner trust me, we can get a lot done. Just don't call it objectivity.

the impeccable historical record

Risk should be objectively quantified.

A quantified risk level guides decision makers in prioritizing how to spend wisely in treating risks. If applied information security is to be realized cost-effectively, the risk level is our tool. It is derived by estimating the risk event in terms of its probability and impact - ideally in monetary terms.

Objectivity in risk quantification requires historical data as a foundation for event likelihood plus a thorough understanding of its business impact.

talking straight

Risk should be objectively described.

If a risk isn't clearly described, it simply isn't understood and will not be effectively treated.

Poor risk descriptions all but ensure that valuable insight from the SRA never reaches the right ears.

Objectivity in risk description requires pedagogy, language skills and sufficient boldness to communicate in no uncertain terms so that all stakeholders will understand the risk - through its interrelated components - the same way we did when constructing it.

infinite expertise with zero bias

Risk should be objectively identified.

This implies establishing timing and scope in such a way that best supports the decision situation which triggered this SRA.

We must also capture the most important risk components and successfully construct combinations which constitute the most relevant risks within scope.

Objectivity in risk identification requires complete knowledge of our system as well as existing threat sources and vulnerabilities plus unlimited creativity and a total lack of bias.

objectivity, anyone?

Objectivity implies a guarantee against bias, intentional or accidental. Emotions or prejudices must be controlled. Objectivity means presenting a just view of the world as it really is.

If a Security Risk Assessment (SRA) is to be objective, three conditions must be met.

Risk should be objectively identified.

Risk should be objectively described.

Risk should be objectively quantified.

All three conditions must be met, or the SRA will not constitute an objective statement about security risk.

objectively yours

We like to think of Security Risk Management as an objective practice. After all - if stakeholders are expected to foot the bill for mitigating risk, they will want to base such a decision on solid ground. They need facts, don't they?

Hold it right there.

What is a fact about risk? Risk concerns potential future events. What facts do we have about the future? That's right. None, whatsoever.

So, in the absence of facts - what can we offer? Is there such a thing as an objective risk assessment?