The Fallacy of Risk Analysis




                                                                                         ...
If Curriculums have the ability to speak….

        “As a Senior Credit Risk Manager in Citigroup,
        I was able to s...
Some Security Trends in Recent Years

        Quality of Service growing importance
        27001 Moving towards 2700x fam...
The Focus on the RA and on Standards
        Risk Analysis has been positioned on the market as
        the cost rational ...
The Limitations
        RA approach is similar to one-to-one marketing
        RA in the enterprise micro system is effect...
National Landscape
        Portuguese Market*
               99,6% SMBs
               SMBs represent 75% of employment
  ...
Question?
          Q: Do we need perform Risk Analysis to cross the street?

          A: NO. We use a set of simple rule...
Back to the Basics
  • Do we need Risk Analysis to set priorities?




                                                   ...
Risk Analysis Approaches vs Baseline
                   Security
     TCS(RA) = Sunk Costs + Security Implementation – Avo...
The 27001 Business Case

                                                                                                 ...
Expected Financial Impact per
                       Company
  • Monetary impact of security incidents is decreasing
     ...
Risk Analysis Approaches vs Baseline
                      Security
   •    Top-Down Approach                             ...
The Missing Link
                                    Security By Design
  • Only effective approach in long term is to
   ...
“The Security Guerilla” Concept
  • The “security guerrila” approach is effective
    with SMBs
  • 80% of common risks ar...
Open Debate (3 min)


          Q: What is security value proposition?




                                        Marco R...
Back to the Basics – Strategic
                             Alignment
  • What does it mean alignment ?
  • What is your c...
Back to the Basics - The Enabler Role
  • Security must respond to compelling events
    and existing strategies
  • Risk ...
Back to the Basics - The Security
                        Practitioner
  • Adopt pragmatic perspectives
  • Key role on th...
Food for Thought
  • Who does better manages security?
          – A security Manager
          – A General Manager


• Ma...
Some Closing Remarks
  • Security , standards and methodologies are many times
    applied blindly by the community
  • No...
Were to Go?
  • Security must run the “extra mile” to meet business
    needs in efficient and effective ways
  • Security...
Discussion




                        marco.raposo@alcatel-lucent.com
                        M: +351 968779278


       ...
Upcoming SlideShare
Loading in...5
×

The Fallacy Of Risk Analysis (Feb 2010)

157

Published on

A pragmatic analysis to the value of Risk Analysis, certifications and complex security in Portuguese economic environment.

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
157
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
3
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

The Fallacy Of Risk Analysis (Feb 2010)

  1. 1. The Fallacy of Risk Analysis M. Raposo Marco Raposo 2010 http://pt.linkedin.com/in/marcoraposo Free to copy, distribute. You must attribute the work in the manner specified by the author. You may not use this work for commercial purposes.
  2. 2. If Curriculums have the ability to speak…. “As a Senior Credit Risk Manager in Citigroup, I was able to sustain billions in financial losses and bankrupt a centenary institution” Citigroup Acknowledges Poor Risk Management New York Times, October 16, 2007 Marco Raposo 2010 http://pt.linkedin.com/in/marcoraposo Free to copy, distribute. You must attribute the work in the manner specified by the author. You may not use this work for commercial purposes.
  3. 3. Some Security Trends in Recent Years Quality of Service growing importance 27001 Moving towards 2700x family Cloud Security arising Focus on Business Continuity Management Response towards prevention (ex: Data Loss Prevention ) Growing focus on Governance, Risk management and Compliance (GRC) Security Issues moving up in OSI Layer Marco Raposo 2010 http://pt.linkedin.com/in/marcoraposo Free to copy, distribute. You must attribute the work in the manner specified by the author. You may not use this work for commercial purposes.
  4. 4. The Focus on the RA and on Standards Risk Analysis has been positioned on the market as the cost rational tool Standards as the right security approach 27001 leveraged as the maximum exponent of security 223M € - BSI Group Financial Performance in 2008 Bulk training from several organizations (BSI, ISC2, ISACA, SANS, VISA, etc) Certifications: Too Much noise and unbalanced value Marco Raposo 2010 http://pt.linkedin.com/in/marcoraposo Free to copy, distribute. You must attribute the work in the manner specified by the author. You may not use this work for commercial purposes.
  5. 5. The Limitations RA approach is similar to one-to-one marketing RA in the enterprise micro system is effective However, it only acts within boundaries With changing trends, Internet and information ubiquity, the boundaries are diffuse RA approaches within certifications are in fact a “global” response strategy Standards are just standards. Doesn’t say “When” and “Why” Marco Raposo 2010 http://pt.linkedin.com/in/marcoraposo Free to copy, distribute. You must attribute the work in the manner specified by the author. You may not use this work for commercial purposes.
  6. 6. National Landscape Portuguese Market* 99,6% SMBs SMBs represent 75% of employment 56,4% of PIB * IAPMEU feb 2008 Our Addressable Market is Smaller Our Long Tail is bigger Models/Investments profitable in other environment might not be profitable in local market Marco Raposo 2010 http://pt.linkedin.com/in/marcoraposo Free to copy, distribute. You must attribute the work in the manner specified by the author. You may not use this work for commercial purposes.
  7. 7. Question? Q: Do we need perform Risk Analysis to cross the street? A: NO. We use a set of simple rules Q: Do we need perform Risk Analysis to cross a street full of traffic while a dog is chasing us? A: Yes. Marco Raposo 2010 http://pt.linkedin.com/in/marcoraposo Free to copy, distribute. You must attribute the work in the manner specified by the author. You may not use this work for commercial purposes.
  8. 8. Back to the Basics • Do we need Risk Analysis to set priorities? * ISACA Journal Jan 2010 Marco Raposo 2010 http://pt.linkedin.com/in/marcoraposo Free to copy, distribute. You must attribute the work in the manner specified by the author. You may not use this work for commercial purposes.
  9. 9. Risk Analysis Approaches vs Baseline Security TCS(RA) = Sunk Costs + Security Implementation – Avoided Loss Expectacy(RA) TCS(BS) = Security Implementation – Avoided Loss Expectacy(BS) If ( Avoided Loss Expectancy (RA-BS) > Sunk Costs) { Risk Analysis is effective } Marco Raposo 2010 http://pt.linkedin.com/in/marcoraposo Free to copy, distribute. You must attribute the work in the manner specified by the author. You may not use this work for commercial purposes.
  10. 10. The 27001 Business Case • Brand • New Business Enabling • Security Savings • Insurance Reduction • Incident Response • Potential Savings • Very hard to quantify due to event correlation Marco Raposo 2010 http://pt.linkedin.com/in/marcoraposo Free to copy, distribute. You must attribute the work in the manner specified by the author. You may not use this work for commercial purposes.
  11. 11. Expected Financial Impact per Company • Monetary impact of security incidents is decreasing Expected Loss Per Company 250.000 € Side Note: On 2009 report 200.000 € the number of 150.000 € incidents raised 100.000 € together with 50.000 € financial impact 0€ * CSI/FBI COMPUTER CRIME AND SECURITY SURVEY 2008 Currently each company is faced with a potential loss of 110k per year (Worst case scenario). Solutions should be cost effective and long term. Marco Raposo 2010 http://pt.linkedin.com/in/marcoraposo Free to copy, distribute. You must attribute the work in the manner specified by the author. You may not use this work for commercial purposes.
  12. 12. Risk Analysis Approaches vs Baseline Security • Top-Down Approach • Bottom-Up Approach • Cost Effective Security • Simplicity • Maintenance efforts • Fast Deployment (scenario based • Suitable for SMBs approach) and low CMM • Bigger Maintenance • Effective in efforts (Residual Risk turbulence Risk approach) Analysis • Sunk Costs Approach • Complexity Baseline Security Marco Raposo 2010 http://pt.linkedin.com/in/marcoraposo Free to copy, distribute. You must attribute the work in the manner specified by the author. You may not use this work for commercial purposes.
  13. 13. The Missing Link Security By Design • Only effective approach in long term is to complement “security by design” with Top- down approached • Security by design will create a “Stable equilibrium” with auto correcting properties • Community should leverage “Security by Design” Marco Raposo 2010 http://pt.linkedin.com/in/marcoraposo Free to copy, distribute. You must attribute the work in the manner specified by the author. You may not use this work for commercial purposes.
  14. 14. “The Security Guerilla” Concept • The “security guerrila” approach is effective with SMBs • 80% of common risks are mitigated with 20% controls (Pareto’s principle) • Pace of change with many SMBs does not have a significant impact • Very cost effective approach Marco Raposo 2010 http://pt.linkedin.com/in/marcoraposo Free to copy, distribute. You must attribute the work in the manner specified by the author. You may not use this work for commercial purposes.
  15. 15. Open Debate (3 min) Q: What is security value proposition? Marco Raposo 2010 http://pt.linkedin.com/in/marcoraposo Free to copy, distribute. You must attribute the work in the manner specified by the author. You may not use this work for commercial purposes.
  16. 16. Back to the Basics – Strategic Alignment • What does it mean alignment ? • What is your company/customer generic competitive strategy? • What is your company/customer directional strategies? • What are the Business Compelling Events – Losing customers to the competition – Exploiting new market opportunities – Pressure to reduce cost – New regulatory requirements • How does security contributes to it? Marco Raposo 2010 http://pt.linkedin.com/in/marcoraposo Free to copy, distribute. You must attribute the work in the manner specified by the author. You may not use this work for commercial purposes.
  17. 17. Back to the Basics - The Enabler Role • Security must respond to compelling events and existing strategies • Risk Analysis should be a tool and Risk Management a good practice • Certification must be a byproduct of security • Security must be a byproduct of Business • Standards are not a religion (many diverge) • From Strategy to Tactics and Operational: Were is the security plan? Marco Raposo 2010 http://pt.linkedin.com/in/marcoraposo Free to copy, distribute. You must attribute the work in the manner specified by the author. You may not use this work for commercial purposes.
  18. 18. Back to the Basics - The Security Practitioner • Adopt pragmatic perspectives • Key role on the “Why” and “When” • Focus on business, not in security • Develop negotiation, communication and management skills • Balance all parts of security • Acronyms are not security (CISSP, CISM, CISA, ISO LA, etc) • Adopt out-of-the box thinking Marco Raposo 2010 http://pt.linkedin.com/in/marcoraposo Free to copy, distribute. You must attribute the work in the manner specified by the author. You may not use this work for commercial purposes.
  19. 19. Food for Thought • Who does better manages security? – A security Manager – A General Manager • Many managers have a great perception of risk (Give me a manager that has ensured positive P&L in a turbulent market or recession) • Security Practitioners are often to biased ( no thinking out of the box, no systemic view of problems) • Technically focused people normally have strong technical skills and limited communication or negotiation skills Marco Raposo 2010 http://pt.linkedin.com/in/marcoraposo Free to copy, distribute. You must attribute the work in the manner specified by the author. You may not use this work for commercial purposes.
  20. 20. Some Closing Remarks • Security , standards and methodologies are many times applied blindly by the community • No Political, Sociological, Economical or Technological environment is accounted • As everything, security has trade offs and a break even point • Not all security is controls, frameworks and methodologies • Security is more business and less security • Every time that you fail to properly demonstrate security added value, you are contributing negatively Marco Raposo 2010 http://pt.linkedin.com/in/marcoraposo Free to copy, distribute. You must attribute the work in the manner specified by the author. You may not use this work for commercial purposes.
  21. 21. Were to Go? • Security must run the “extra mile” to meet business needs in efficient and effective ways • Security should adapt to environment • Resources in security are sparse. Prioritize them. • For any given option, clearly state the “break even” and the compromises • Practitioners must bet in soft skills • Switch from worn out and cliché messages • Back to the Plan: A good management practice is to have a plan. Put it in place. Prioritize it, assign resources, deploy, measure results Marco Raposo 2010 http://pt.linkedin.com/in/marcoraposo Free to copy, distribute. You must attribute the work in the manner specified by the author. You may not use this work for commercial purposes.
  22. 22. Discussion marco.raposo@alcatel-lucent.com M: +351 968779278 Marco Raposo 2010 http://pt.linkedin.com/in/marcoraposo Free to copy, distribute. You must attribute the work in the manner specified by the author. You may not use this work for commercial purposes.
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×