What We Talk About When We Talk About Risk

0
108
Measuring security risk is not that hard if you get your terms straight and leverage well-established methods and principles from other disciplines.

How enthusiastic would you be to ride on a spacecraft if you knew that the scientists and engineers who designed it and planned the mission couldn’t agree on the definition of mass, weight, and velocity?

A quick look at the word “risk” in Wikipedia provides a clue regarding the variety of definitions that exist for a foundational term in our profession. But inconsistent formal definitions are really just the tip of the iceberg. For example, I like to ask audiences, “Which of these are risks?”:

  • Vulnerabilities
  • Disgruntled employees
  • Reputation
  • Untested recovery plans
  • Sensitive consumer information
  • Weak passwords
  • Cybercriminals

Almost without exception, the answer I hear is “All of them!” The truth, however, is that none of them are risks. Vulnerabilities are not risks and we need to stop acting like they are. Disgruntled employees and cybercriminals are threat communities; reputation and sensitive consumer information are assets; and weak passwords and an untested recovery plan are (deficient) controls. In other words,…

Read More…