Information technology trade publications report increasing information security losses, questionable risk management and risk assessments, and underfunding and understaffing. Government departments receive low grades in security. Legislators react by adopting draconian laws such as Sarbanes-Oxley. The poor state of information security derives from a fundamental risk-based approach to security.
Management deals with risks every day, and risk reduction justification makes it too easy to accept security vulnerabilities in exchange for other benefits. It must be imperative and unavoidable that management support effective security by our insisting on demonstrable diligence to avoid negligence, addressing ethical aspects, complying with laws to avoid penalties, and enabling businesses to be competitive and deliver secure services within budget. This diligence method does better than what others are doing, by exceeding benchmarks under similar circumstances, exceeding standards and requirements of law, and using well-known good and new more powerful controls.
It is relatively easy to justify increased security to stop or control ongoing significant loss incidents such as virus attacks—because they are certainties, rather than intangible security risks. We can justify security against incident loss certainties by straightforward calculation of return on investment based on real experience. The more difficult problem is making a successful case for adequate security against rare but significant threats such as enemies engaged in fraud, espionage, and sabotage. Information security departments have attempted to justify expending security resources to address these rare problems by managing and reducing security risks. To manage, they must control; to control, they try to measure the benefits of information security "scientifically" based on risk reduction. However, security risk reduction is generally not measurable.
A security risk is defined to be an adversity, but measuring security risk requires anticipating frequency and impact of rare loss events in a specific security setting. Security risk is different than measurable business risk that consists of voluntarily investing resources to produce a profit or meet a goal. Security risk is not measurable, because the frequencies and impacts of future incidents are mutually dependent variables with unknown mutual dependency under control of unknown and often irrational enemies with unknown skills, knowledge, resources, authority, motives, and objectives—operating from unknown locations at unknown future times with the possible intent of attacking known but untreated vulnerabilities and vulnerabilities that are known to the attackers but unknown to the defenders (a constant problem in our technologically complex environments). In addition, when enemies cannot exploit one vulnerability, they often attack other vulnerabilities to accomplish their goals. Therefore, risks are related in unknown complex ways so that reducing one risk may increase or decrease other risks. Also, the impact may be minimal in major attacks and major in minor attacks. For example, consider the complete failure of Barings Bank in London resulting from a lack of simple separation of duties in just one branch in Singapore. You never know what amount of liability, litigation, or secondary effects may ensue after even a minor incident: "For want of a nail the war was lost."
Many security efforts may affect one risk, and one security effort may affect many risks—such as occurs today with use of powerful security software packages. Thus, risks and vulnerabilities cannot be paired in simple ways. There are too many interrelated unknown and known variables, with unknown values. They all change in unknown ways over time, depending on unknown future circumstances such as system and business changes, labor disputes, social and political changes, unknown enemies’ failures and successes, and enemy and defender frailties and irrationalities. It is generally agreed that there is insufficient valid loss experience data to suppo rt quantitative risk assessment applied to a specific instance, because of victims’ needs for confidentiality. Also, humans are notoriously bad at qualitative risk assessment. Finally, there is no proof of effectiveness or reported experience of performing security risk assessments cited in the security literature, because they are proprietary and confidential.
Many security managers support my position on the failure of security based on intangible risks, but they are so committed to it through job titles, standards, advice in the literature, requirements in the law, and policies that they are afraid to declare it inoperative. Risk-based security and security risk management are the emperor’s new clothes and must be replaced with diligence-based security consisting of measurable and tangible diligence, ethical practice, compliance, and enablement.