Arguments For and Against Risk Analysis
Risk analysis is a well-known
planning tool, used often by auditors, accountants, and managers. In many
situations, such as obtaining approval for new drugs, new power plants, and new
medical devices, a risk analysis is required by law in many countries. There
are many good reasons to perform a risk analysis in preparation for creating a
security plan.
Improve awareness. Discussing
issues of security can raise the general level of interest and concern among
developers and users. Especially when the user population has little expertise
in computing, the risk analysis can educate users about the role security plays
in protecting functions and data that are essential to user operations and
products.
Relate security mission to
management objectives. Security is often perceived as a financial drain for no
gain. Management does not always see that security helps balance harm and
control costs.
Identify assets,
vulnerabilities, and controls. Some organizations are unaware of their
computing assets, their value to the organization, and the vulnerabilities
associated with those assets. A systematic analysis produces a comprehensive
list of assets, valuations, and risks.
Improve basis for decisions.
A security manager can present an argument such as "I think we need a
firewall here" or "I think we should use token-based authentication
instead of passwords." Risk analysis augments the manager's judgment as a
basis for the decision.
Justify expenditures for
security. Some security mechanisms appear to be very expensive and without
obvious benefit. A risk analysis can help identify instances where it is worth
the expense to implement a major security mechanism. Justification is often derived from examining the much larger risks of
not spending for security.
However, despite the advantages of risk
analysis, there are several arguments against using it to support decision
making.
False sense of precision and confidence. The
heart of risk analysis is the use of empirical data to generate estimates of
risk impact, risk probability, and risk exposure. The danger is that these
numbers will give us a false sense of precision, thereby giving rise to an
undeserved confidence in the numbers. However, in many cases the numbers
themselves are much less important than their relative sizes. Whether an
expected loss is $100,000 or $150,000 is relatively unimportant. It is much
more significant that the expected loss is far above the $10,000 or $20,000
budget allocated for implementing a particular control. Moreover, anytime a risk
analysis generates a large potential loss, the system deserves further scrutiny
to see if the root cause of the risk can be addressed.
Hard to perform. Enumerating assets,
vulnerabilities, and controls requires creative thinking. Assessing loss
frequencies and impact can be difficult and subjective. A large risk analysis
will have many things to consider. Risk analysis can be restricted to certain
assets or vulnerabilities, however.
Immutability. It is typical on many software
projects to view processes like risk analysis as an irritating fact of lifea
step to be taken in a hurry so that the developers can get on with the more
interesting jobs related to designing, building, and testing the system. For
this reason, risk analyses, like contingency plans and five-year plans, have a
tendency to be filed and promptly forgotten. But if an organization takes
security seriously, it will view the risk analysis as a living document,
updating it at least annually or in conjunction with major system upgrades.
Lack of accuracy. Risk analysis is not always
accurate, for many reasons. First, we may not be able to calculate the risk
probability with any accuracy, especially when we have no past history of
similar situations. Second, even if we know the likelihood, we cannot always
estimate the risk impact very well. The risk management literature is replete
with papers about describing the scenario, showing that presenting the same
situation in two different ways to two equivalent groups of people can yield
two radically different estimates of impact. And third, we may not be able to
anticipate all the possible risks. For example, bridge builders did not know
about the risks introduced by torque from high winds until the Tacoma Narrows
Bridge twisted in the wind and collapsed. After studying the colossal failure
of this bridge and discovering the cause, engineers made mandatory the
inclusion of torque in their simulation parameters. Similarly, we may not know
enough about software, security, or the context in which the system is to be
used, so there may be gaps in our risk analysis that cause it to be inaccurate.
This lack of accuracy is
often cited as a deficiency of risk analysis. But this lack is a red herring.
Risk analysis is useful as a planning tool, to compare and contrast options. We
may not be able to predict events accurately, but we can use risk analysis to
weigh the tradeoffs between one action and another. When risk analysis is used
in security planning, it highlights which security expenditures are likely to be
most cost effective. This investigative basis is important for choosing among
controls when money available for security is limited. And our risk analysis
should improve as we build more systems, evaluate their security, and have a
larger experience base from which to draw our estimates.
A risk analysis has many
advantages as part of security plan or as a tool for less formal security
decision making. It ranges from very subjective and imprecise to highly
quantitative. It is useful for generating and documenting thoughts about likely
threats and possible countermeasures. Finally, it supports rational decision
making about security controls.
Next we turn to another
aspect of security planningdeveloping security policies.
Related Topics
Privacy Policy, Terms and Conditions, DMCA Policy and Compliant
Copyright © 2018-2024 BrainKart.com; All Rights Reserved. Developed by Therithal info, Chennai.