• United States



Measuring IT risk

Oct 31, 20122 mins
Data and Information SecurityIT StrategyROI and Metrics

One of the thornier issues in security risk management - but it's getting better all the time

What’s the most-lamented difficulty in applying real risk management to security? Lack of hard numbers, of course.

Particularly on the digital side of security. The old “actuarial table” problem. We don’t know precise probabilities, can’t accurately calculate impact costs, boo hoo.

(I do love an old quote about this issue, attributed to Dan Geer: “The numbers are too poor even to lie with.”)

But lots of people are chipping away at this problem. The bottom line is that there’s no reason to throw up your hands and say it can’t be done. Here is some of the coverage we’ve done on this question:

Alex Hutton and Doug Hubbard had a productive discussion that we called “The great IT risk measurement debate.” Online it’s in two parts: Part one and Part two.

One of the key points both gentlemen make is that you can apply risk management principles now and improve your outcomes. Absolute precision and perfection isn’t necessary. (What business decision-making process is demonstratively perfect anyway?) Hubbard argues convincingly that IT security is not as unique as is often claimed. Other disciplines have similar challenges in the risk measurement arena.

Hutton is a member of the Society of Information Risk Analysts (SIRA). He and other SIRA folks pitched into a recent discussion about 7 common risk management mistakes. If you haven’t read that yet, do. You can fast forward your own program by avoiding the missteps others have considerately made for you. Don’t replicate the audit department, don’t confuse accuracy with precision, don’t try to make a comprehensive risk register.

Really, go read it.

[Hey you! Get all CSO’s ERM coverage with our new CSO Risk Management newsletter. Sign up now!]

And one last piece specific to IT risk: Are you using a formal risk assessment framework? Bob Violino wrote an overview of four of them – OCTAVE, FAIR, NIST RMF, and TARA.

Okay. That’s a foundation of our coverage of this tricky and sometimes contentious IT measurement issue.

My initial thesis was that risk management needs to be more quantifiable, and more inclusive of multiple interconnected disciplines. Upcoming posts will provide new material on both those topics. Onward!