Risk-based security? Hogwash!

Nothing gets my goat as badly as “risk-based security” talk that is suffocating discussions lately. It is so pervasive and so obnoxiously delivered that you end up wondering if the authors of the term even know how poorly they understand information security, risk management, and the organisation they support. Dunning-Kruger effect in action if there ever was one.

Decisions, decisions

To explain what I mean, let’s look at it from top down:

1.  Everything starts with objectives. The things you want to achieve, stuff you want to do.
2.  Once you're clear on objectives, you need to figure out how to achieve them. Part of that is identifying anything that may stand in your way as well as anything that may help you. You will need to review how to minimise the former while maximising the latter. That's called risk management.
3.  Now you have all the necessary ingredients to make a decision:
•   You know what you want to do;
•   What may help you get it; and
•   what has the potential to stop you from getting it.

Your decisions will be informed by risks (the potential to stop you); they will not be based on risks. Your objective, i.e. what you want to do, is a certainty in your decision making; risks are potential obstacles that may prevent you from getting what you want.

Information security is just one of many aspects of risks that is considered when you’re deciding if your objectives are worth pursuing in totality, partially or not at all. It’s not the main thing, it’s not even a runner up.

Risk-based, risk-informed … what’s the difference?

I understand that there are many different definitions of risk out there, many tailored specifically to their own little niche. So let’s replace “risk” with “price” for a quick analogy:

Let’s say you moved into a new apartment. It’s unfurnished and you have a tight budget. You can choose between two chairs: first chair has a broken leg but you can get it for free. Second chair is exactly the same as the first one, except it has all four functional legs, but it costs $5. Cost-based decision: you go with the free chair and balance precariously every time you sit on it. Cost-informed decision: you shell out $5 and get the functioning chair.

Same goes for risk. If your decisions are based solely on risks you ignore your overarching objectives and base your decisions on risks and risks only. And then you balance precariously on a broken chair and wonder why you just can’t relax when sitting on it.

So what would a “risk-based security” look like?

Highly derivative and reactive. Why? Risks can only be identified once objectives are defined. No objectives, no risks. Once you have identified risks you base your security posture on the potential of those bad things happening. You are preparing controls to minimise bad things based on current assessment of the risks, which has the potential to change drastically overnight. Made a “risk-based decision” not to roll out patches this quarter because there were no known exploits in the wild? Woke up one morning to news articles about just such 0day exploit making rounds? Well, that’s “risk-based security” for you.

Anyone that at this stage starts saying that patching, application while-listing, what-have-you is just “standard due diligence” is not understanding the full meaning of “risk-based security”. There is no “standard due diligence” in risk-based anything, because all decisions have to stem (be based on) risks. That this doesn’t make logical sense is not up for discussion .;-)

If people talking about “risk-based security” actually mean “due diligence up to this point and after that we’ll make decisions informed by risks to the environment” then that isn’t “risk-based security” and they’re using language to confuse not just themselves but also everyone outside the information security industry. One step forward, two steps back. Words, whatever do they mean?