One of the thornier issues in security risk management - but it's getting better all the time What’s the most-lamented difficulty in applying real risk management to security? Lack of hard numbers, of course. Particularly on the digital side of security. The old “actuarial table” problem. We don’t know precise probabilities, can’t accurately calculate impact costs, boo hoo. (I do love an old quote about this issue, attributed to Dan Geer: “The numbers are too poor even to lie with.”) But lots of people are chipping away at this problem. The bottom line is that there’s no reason to throw up your hands and say it can’t be done. Here is some of the coverage we’ve done on this question: Alex Hutton and Doug Hubbard had a productive discussion that we called “The great IT risk measurement debate.” Online it’s in two parts: Part one and Part two. One of the key points both gentlemen make is that you can apply risk management principles now and improve your outcomes. Absolute precision and perfection isn’t necessary. (What business decision-making process is demonstratively perfect anyway?) Hubbard argues convincingly that IT security is not as unique as is often claimed. Other disciplines have similar challenges in the risk measurement arena. Hutton is a member of the Society of Information Risk Analysts (SIRA). He and other SIRA folks pitched into a recent discussion about 7 common risk management mistakes. If you haven’t read that yet, do. You can fast forward your own program by avoiding the missteps others have considerately made for you. Don’t replicate the audit department, don’t confuse accuracy with precision, don’t try to make a comprehensive risk register. Really, go read it. [Hey you! Get all CSO’s ERM coverage with our new CSO Risk Management newsletter. Sign up now!] And one last piece specific to IT risk: Are you using a formal risk assessment framework? Bob Violino wrote an overview of four of them – OCTAVE, FAIR, NIST RMF, and TARA. Okay. That’s a foundation of our coverage of this tricky and sometimes contentious IT measurement issue. My initial thesis was that risk management needs to be more quantifiable, and more inclusive of multiple interconnected disciplines. Upcoming posts will provide new material on both those topics. Onward! Related content opinion Getting the Board on board Sean Lyons argues that the Board of Directors must see themselves as an active part of corporate defense - not the beneficiaries of it By Derek Slater Feb 13, 2013 8 mins Government IT Strategy opinion Recent risk discussions, here and there By Derek Slater Jan 28, 2013 2 mins IT Strategy opinion Risk management in HBR (and whether that's a good thing) Is ERM only about preventing downside? Or is there more to it than that? By Derek Slater Dec 12, 2012 2 mins IT Jobs IT Strategy IT Leadership opinion Information security risk: A conversation with Adam Shostack How has the landscape changed since publication of The New School of Information Security? By Derek Slater Dec 04, 2012 5 mins Data and Information Security IT Strategy Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe