The Fallacy Of Risk Analysis (Feb 2010)

The Fallacy of Risk Analysis

M. Raposo
Marco Raposo 2010 http://pt.linkedin.com/in/marcoraposo
Free to copy, distribute. You must attribute the work in the manner specified by the author. You may not use this work for commercial purposes.

If Curriculums have the ability to speak….

“As a Senior Credit Risk Manager in Citigroup,
I was able to sustain billions in financial
losses and bankrupt a centenary institution”

Citigroup Acknowledges Poor Risk Management
New York Times, October 16, 2007


Some Security Trends in Recent Years

Quality of Service growing importance
27001 Moving towards 2700x family
Cloud Security arising
Focus on Business Continuity Management
Response towards prevention (ex: Data Loss
Prevention )
Growing focus on Governance, Risk management and
Compliance (GRC)
Security Issues moving up in OSI Layer


The Focus on the RA and on Standards
Risk Analysis has been positioned on the market as
the cost rational tool
Standards as the right security approach
27001 leveraged as the maximum exponent of
security
223M € - BSI Group Financial Performance in 2008
Bulk training from several organizations (BSI, ISC2,
ISACA, SANS, VISA, etc)
Certifications: Too Much noise and unbalanced
value


The Limitations
RA approach is similar to one-to-one marketing
RA in the enterprise micro system is effective
However, it only acts within boundaries
With changing trends, Internet and information
ubiquity, the boundaries are diffuse
RA approaches within certifications are in fact a
“global” response strategy
Standards are just standards. Doesn’t say “When”
and “Why”


National Landscape
Portuguese Market*
99,6% SMBs
SMBs represent 75% of employment
56,4% of PIB

* IAPMEU feb 2008

Our Addressable Market is
Smaller
Our Long Tail is bigger

Models/Investments profitable in other environment might not be
profitable in local market


Question?
Q: Do we need perform Risk Analysis to cross the street?

A: NO. We use a set of simple rules

Q: Do we need perform Risk Analysis to cross a street full
of traffic while a dog is chasing us?

A: Yes.


Back to the Basics
• Do we need Risk Analysis to set priorities?

* ISACA Journal Jan 2010

Risk Analysis Approaches vs Baseline
Security
TCS(RA) = Sunk Costs + Security Implementation – Avoided Loss
Expectacy(RA)

TCS(BS) = Security Implementation – Avoided Loss
Expectacy(BS)

If ( Avoided Loss Expectancy (RA-BS) > Sunk Costs)
{
Risk Analysis is effective
}

The 27001 Business Case

• Brand
• New Business Enabling
• Security Savings
• Insurance Reduction
• Incident Response

• Potential Savings
• Very hard to
quantify due to
event correlation


Expected Financial Impact per
Company
• Monetary impact of security incidents is decreasing
Expected Loss Per Company

250.000 €
Side Note:
On 2009 report
200.000 €
the number of
150.000 €
incidents raised
100.000 € together with
50.000 €
financial impact
0€

* CSI/FBI COMPUTER CRIME AND SECURITY SURVEY 2008

Currently each company is faced with a potential loss of 110k per year (Worst case
scenario). Solutions should be cost effective and long term.


Risk Analysis Approaches vs Baseline
Security
• Top-Down Approach • Bottom-Up Approach
• Cost Effective
Security
• Simplicity
• Maintenance efforts • Fast Deployment
(scenario based • Suitable for SMBs
approach) and low CMM
• Bigger Maintenance • Effective in
efforts (Residual Risk turbulence
Risk approach) Analysis
• Sunk Costs Approach
• Complexity

Baseline Security


The Missing Link
Security By Design
• Only effective approach in long term is to
complement “security by design” with Top-
down approached
• Security by design will create a “Stable
equilibrium” with auto correcting properties
• Community should leverage “Security by
Design”


“The Security Guerilla” Concept
• The “security guerrila” approach is effective
with SMBs
• 80% of common risks are mitigated with 20%
controls (Pareto’s principle)
• Pace of change with many SMBs does not have
a significant impact
• Very cost effective approach


Open Debate (3 min)

Q: What is security value proposition?


Back to the Basics – Strategic
Alignment
• What does it mean alignment ?
• What is your company/customer generic competitive
strategy?
• What is your company/customer directional strategies?
• What are the Business Compelling Events
– Losing customers to the competition
– Exploiting new market opportunities
– Pressure to reduce cost
– New regulatory requirements

• How does security contributes to it?


Back to the Basics - The Enabler Role
• Security must respond to compelling events
and existing strategies
• Risk Analysis should be a tool and Risk
Management a good practice
• Certification must be a byproduct of security
• Security must be a byproduct of Business
• Standards are not a religion (many diverge)
• From Strategy to Tactics and Operational:
Were is the security plan?

Back to the Basics - The Security
Practitioner
• Adopt pragmatic perspectives
• Key role on the “Why” and “When”
• Focus on business, not in security
• Develop negotiation, communication and
management skills
• Balance all parts of security
• Acronyms are not security (CISSP, CISM, CISA, ISO LA,
etc)
• Adopt out-of-the box thinking

Food for Thought
• Who does better manages security?
– A security Manager
– A General Manager

• Many managers have a great perception of risk (Give me a manager that has
ensured positive P&L in a turbulent market or recession)
• Security Practitioners are often to biased ( no thinking out of the box, no
systemic view of problems)
• Technically focused people normally have strong technical skills and limited
communication or negotiation skills

Some Closing Remarks
• Security , standards and methodologies are many times
applied blindly by the community
• No Political, Sociological, Economical or Technological
environment is accounted
• As everything, security has trade offs and a break even point
• Not all security is controls, frameworks and methodologies
• Security is more business and less security
• Every time that you fail to properly demonstrate security
added value, you are contributing negatively


Were to Go?
• Security must run the “extra mile” to meet business
needs in efficient and effective ways
• Security should adapt to environment
• Resources in security are sparse. Prioritize them.
• For any given option, clearly state the “break even”
and the compromises
• Practitioners must bet in soft skills
• Switch from worn out and cliché messages
• Back to the Plan: A good management practice is to
have a plan. Put it in place. Prioritize it, assign
resources, deploy, measure results

Discussion

marco.raposo@alcatel-lucent.com
M: +351 968779278


The Fallacy Of Risk Analysis (Feb 2010)

Recommended

Recommended

More Related Content

Similar to The Fallacy Of Risk Analysis (Feb 2010)

Similar to The Fallacy Of Risk Analysis (Feb 2010) (20)

The Fallacy Of Risk Analysis (Feb 2010)