Many a joke begins, “Three men walk into a bar…”. They are then differentiated by race, religion or nationality. What follows in this article is not about three men; they do not walk into a bar; and they are differentiated by profession. They share in common the risk that is inherent in what they do. The first woman is a banker; the second woman is an information security manager; the man is a physician.

The banker makes loans and realizes that some will not be repaid. To manage her risk, she executes credit checks, charges interest and sets aside loan loss provisions. The doctor performs procedures on sick patients, prescribes remedies and, to manage his risk, calls for batteries of tests. The information security manager realizes that the systems she is responsible for are threatened internally and externally, so she acquires for all of them the strongest security measures she can afford: encryption, virus filers, firewalls, intrusion detection and prevention systems, identity management software and administrative talent. All manage their risks as best as possible.

And yet patients die, loans default and systems are hacked. These sad facts stem from the reality that finance, medicine and information security all deal inherently with risk.

In a previous column,¹ I analyzed what I consider to be loose uses of words in ISO 27005² (specifically, the use of the words “threat,” “vulnerability,” “likelihood” and “risk”). I gave a rather short shrift to risk, but promised that I would return to the subject. ISO 27005 defines information security risk as the “potential that a given threat will exploit vulnerabilities of an asset or group of assets and thereby cause harm to the organization.” As stated in the previous column, “I see risk as the measurement of the uncertainty of harm to an asset or group of assets.”

What affects the three subjects in the examples above is uncertainty. Each manages his/her risks, but risk management is not the same as risk elimination. Therein lies a discussion of perhaps the most critical issue in information security today: despite all precautions, preventions and technologies that organizations put in place, security incidents still occur.

Risk and Exposure

In my opinion, the essential problem with the ISO 27005 definition is that it is not of risk at all, but rather it defines exposure, i.e., the losses one can predictably expect in certain circumstances. So, for example, if there were no virus filters installed (the vulnerability), an information security manager would have a high degree of certainty that at least one of the viruses in the wild (the threat) would in time corrupt data and crash systems (the harm). Worse yet, though the beleaguered manager can be certain about bad things happening without virus filters, she cannot be equally sure that bad things will not happen if the filters are installed. Such is the nature of risk.³

No matter how good the virus filters may be, no matter how effective the information security manager may be in implementing them, there is still the possibility that there is a virus writer somewhere in the world who is smarter than the antivirus software company, more adept at bypassing administrative controls than the implementer, and, so, a virus will nevertheless get through. By putting filters in place, the information security manager can manage a known threat by reducing a known vulnerability, but she can never reduce it to zero. She can manage her exposure, not her risk.

Reducing the probability of loss is a good thing to do, but it is not the same as managing risk. For one thing, part of risk management is risk acceptance. The information security manager may decide that, since she installs a virus filter, she does not need a second one. Or, for that matter, having two, she does not need three…ad infinitum. She has to make the decision at some point that she has implemented enough virus protection to reduce her organization’s vulnerability sufficiently. She must be prepared to acknowledge that the likelihood of harm is so low as to strain credibility.

Highly Improbable Events

But what if she is wrong?

The resulting impact of a highly improbable set of events would most likely be disproportionate to all the other virus attacks the information security manager had ever experienced, precisely because she prepared for the ones she anticipated. We never experienced jet liners used as guided missiles, or hurricanes drowning major cities, or tsunamis killing hundreds of thousands…until we did. And then our risk calculus changed; what was previously considered outside the bounds of credibility was suddenly a factor to be included in measuring risk. We were suddenly forced to accept that these things could occur, because they had.

So, the information security manager (and many readers of the ISACA Journal, I suppose) must manage her organization’s exposure to known threats and vulnerabilities while remaining wide open to an uncertain number of unknown threats and vulnerabilities. Again, it is exactly this degree of uncertainty that defines risk.

Budgeting for Risk

Worse yet, the information security manager has to make the budgetary case that the first virus filter by itself left enough risk that a second one was justified. This will probably elicit from her management the not unreasonable questions, “If the first one was not good enough, why did you buy it? And what makes the second one any better than the first?” Now, there are perfectly good technical reasons to have more than one (albeit in different places), but it is also clear that the incremental value of each additional security measure, not just antivirus software, is less and less for each dollar (or euro, yen, ruble or pound) invested. Each one is an attempt to bring the envelope of uncertainty closer to the contents of managed exposure. It is a ceaseless and ultimately futile effort, except that the effort must be made with the understanding that at some time even the best precautions fail. Needless to say, the information security manager will not find that understanding easy to come by as she makes her case for more budget for increased security measures. The line has to be drawn somewhere—and she may not be the one to draw it—and risk will remain on the other side of the line.

Real Risk Management

Risk management—real risk management—must deal with and accommodate uncertainty. In a curious fashion, one might say the certainty of uncertainty. We must accept that there are forces in the world of which we are unaware, which will affect our lives, sometimes immeasurably. So, accordingly, the information security manager can be sure that despite her best efforts, there will continue to be security incidents. Therefore, the soul of risk management for her is an effective response capability—to deal with events as they occur—without advance knowledge of what those events might be. For what is risk but an inability to see the future?

The secret for the information security manager in the example is that she should never promise that any or all the security measures she puts in place will make her organization secure, whatever that means in context. Without qualification, it sounds like a guarantee, one that cannot be redeemed. Rather, she should communicate that some risk will remain no matter what she does and that she is developing flexible and adaptive methods to deal with those cases in which the uncertain becomes reality. She should position herself as a manager rather than a technician.

If it is any consolation, these thoughts were uttered quite a while ago, by Robert Burns, the great Scottish poet, wrote these lines to a mouse he encountered in his field one day:

But Mousie, thou are no thy-lane, In proving foresight may be vain: The best laid schemes o’ Mice an’ Men, Gang aft agley, An’ lea’e us nought but grief an’ pain, For promis’d joy!⁴

Endnotes

¹ Ross, Steven; “Four Little Words,” ISACA Journal, vol. 1, 2009
² International Organization for Standardization, ISO/IEC 27005:2008, Information Technology—Security Techniques—Information Security Risk Management
³ In his recent book, The Black Swan (Random House, 2007), Nassim Nicholas Taleb examines this concept in detail.
⁴ This may be translated roughly as, “Mousie, you are not alone in proving that foresight is in vain. The best laid plans of mice and men often go awry and leave us nothing but pain instead of promised joy.” See www.electricscotland.com/burns/mouse.html.

Steven J. Ross, CISA , CBCP , CISSP
is a director at Deloitte. He welcomes comments at stross@deloitte.com.

Opinions expressed in the ISACA Journal represent the views of the authors and advertisers. They may differ from policies and official statements of ISACA and/or the IT Governance Institute and their committees, and from opinions endorsed by authors, employers or the editors of this Journal. ISACA Journal does not attest to the originality of authors’ content.

Instructors are permitted to photocopy isolated articles for noncommercial classroom use without fee. For other copying, reprint or republication, permission must be obtained in writing from the association. Where necessary, permission is granted by the copyright owners for those registered with the Copyright Clearance Center (CCC), 27 Congress St., Salem, Mass. 01970, to photocopy articles owned by ISACA, for a flat fee of US $2.50 per article plus 25¢ per page. Send payment to the CCC stating the ISSN (1526-7407), date, volume, and first and last page number of each article. Copying for other than personal use or internal reference, or of articles or columns not owned by the association without express permission of the association or the copyright owner is expressly prohibited.

Subscription Rates:
US: one year (6 issues) $75.00
All international orders: one year (6 issues) $90.00
Remittance must be made in US funds.