EXPERT ADVICE
To Understand Security Risks, Think Outside the Box

Convergence is again a hot topic. In the past, it described how voice and data traffic would eventually coexist on IP networks. Now it frequently refers to the trend of integrating information security functions into traditional corporate risk management organizations. There are good reasons for doing this, but the risks may ultimately outweigh the rewards.

The desire to comply with Sarbanes-Oxley and other regulations is one driver for IT security and risk management convergence. Another is the migration of more corporate assets to information technology.

As digital information emerges as a company's core asset, it's a natural temptation to embrace converged risk mitigation and IT security practices. On the other hand, a closer look at information security casts some doubt on whether this strategy will be effective in the long run.

Traditional Risks

The traditional definition of risk involves a simple formula: The probability of an event multiplied by the loss associated with the event. Analysts estimate that there is roughly a 10 percent chance of a laptop computer being lost or stolen per year. If the laptop plus the data on it is worth US$10,000, this means the laptop has $1,000 of risk associated with it (10 percent of $10,000) per year.

Now, let's examine some potential cost scenarios. If we can eliminate a $1,000 risk by spending $100, that's a worthy investment. If it costs $2,000 to eliminate a $1,000 risk, then we are better off just accepting the risk.

Unfortunately, this model doesn't address three other general types of risks.

Other Risks

Some risks can be directly perceived. A person standing near a busy road can directly perceive the danger associated with the nearby traffic. Risks that are directly perceived are easily managed. They are so easily managed, in fact, that everyone becomes their own risk manager, which can easily cause conflict with organizational policies. Few information security risks are easily perceived and measured.

Other risks can only be perceived with the aid of science or technology.

This is the area in which traditional risk management methodologies excel. Some information security risks fall into this category. You cannot directly see if your network is under attack, for example, but with the right technology, such attacks become obvious. However, because the chances of many security incidents happening or the damage resulting from such incidents is difficult to quantify, traditional risk management methodologies can be difficult to easily apply in such situations.

Applying traditional risk-management concepts to information security can even lead to very puzzling results. In his doctoral dissertation at Stanford University, "How Much is Enough? A Risk-Management Approach to Computer Security," Kevin Soo Hoo performed a careful cost-benefit analysis of information security technologies and found that firewalls, for example, cannot be justified using this model. Would any organization be willing to eliminate their firewall based on such an analysis? Surely not.

Virtual Risks

Other risks are virtual risks, or risks where science and technology cannot provide a definitive understanding of them. Because the extent of these risks is not understood, they may more appropriately be called an "uncertainty" rather than a "risk." If you know the chances of an event happening, it is a risk; if you do not know the chances of an event happening it is an uncertainty.

Rather than managing risk, much of information security may be more appropriately thought of as the management of uncertainty. That's because the probabilities of many security incidents are unknown. What are the chances of an e-mail being intercepted on the Internet and read? What are the chances of an adversary exploiting a buffer overflow vulnerability that exists in an unpatched Web server? Alas, we simply don't know the answers to these questions. Many potential information security vulnerabilities therefore fall into the category of virtual risk, making it very difficult to manage these with traditional risk management methodologies.

In the case of virtual risks, what people believe depends on who they believe, which in turn depends on who they trust. Curiously, people tend to put less trust in experts with access to the most reliable information, and put more trust in friends and family, who tend to be those with access to the least reliable information. This leads to situations in which some virtual risks are deemed very serious, despite any evidence supporting this position. For instance, your friends may fear flying but the experts say it's one of the safest modes of transportation.

Understand the Differences

Because many information security risks cannot be understood and managed using traditional risk-management methodologies, integrating information security with other corporate risk management functions may cause more problems than it solves.

In particular, applying traditional risk-management methodologies to information security may fail because neither the chances of security breaches nor the loss associated with such breaches is easy to estimate. Similarly, applying information security risk management methodologies, where decisions are often made without any reliable data at all, to other risk management functions will also probably result in poorly-managed risks.

In most scenarios, the best solution is probably to understand the differences between the types of risk that exist and to manage them appropriately. Unifying information security and other corporate risk-management organizations may not be the best way to do this.