the fallacy of risk analysis (feb 2010)

Free to copy, distribute. You must attribute the work in the manner specified by the author. You may not use this work for commercial purposes.

Marco Raposo 2010 http://pt.linkedin.com/in/marcoraposo

The Fallacy of Risk Analysis

M. Raposo



If Curriculums have the ability to speak….

“As a Senior Credit Risk Manager in Citigroup, I was able to sustain billions in financial losses and bankrupt a centenary institution”

Citigroup Acknowledges Poor Risk Management

New York Times, October 16, 2007



Some Security Trends in Recent Years

� Quality of Service growing importance� 27001 Moving towards 2700x family� Cloud Security arising� Focus on Business Continuity Management� Response towards prevention (ex: Data Loss Prevention )

� Growing focus on Governance, Risk management and Compliance (GRC)

� Security Issues moving up in OSI Layer



The Focus on the RA and on Standards

� Risk Analysis has been positioned on the market as the cost rational tool

� Standards as the right security approach� 27001 leveraged as the maximum exponent of security

� 223M € - BSI Group Financial Performance in 2008� Bulk training from several organizations (BSI, ISC2, ISACA, SANS, VISA, etc)

� Certifications: Too Much noise and unbalanced value



The Limitations

� RA approach is similar to one-to-one marketing

� RA in the enterprise micro system is effective

� However, it only acts within boundaries

� With changing trends, Internet and information ubiquity, the boundaries are diffuse

� RA approaches within certifications are in fact a “global” response strategy

� Standards are just standards. Doesn’t say “When”and “Why”



National Landscape

� Portuguese Market*

� 99,6% SMBs

� SMBs represent 75% of employment

� 56,4% of PIB

* IAPMEU feb 2008

� Our Addressable Market is Smaller

� Our Long Tail is bigger

� Models/Investments profitable in other environment might not beprofitable in local market



Question?

Q: Do we need perform Risk Analysis to cross the street?

A: NO. We use a set of simple rules

Q: Do we need perform Risk Analysis to cross a street full of traffic while a dog is chasing us?

A: Yes.



Back to the Basics

• Do we need Risk Analysis to set priorities?

* ISACA Journal Jan 2010



Risk Analysis Approaches vs Baseline Security

TCS(RA) = Sunk Costs + Security Implementation – Avoided Loss Expectacy(RA)

TCS(BS) = Security Implementation – Avoided Loss Expectacy(BS)

If ( Avoided Loss Expectancy (RA-BS) > Sunk Costs)

{

Risk Analysis is effective

}



The 27001 Business Case

• Brand

• New Business Enabling

• Security Savings

• Insurance Reduction

• Incident Response

• Potential Savings• Very hard to

quantify due to event correlation



Expected Financial Impact per Company

• Monetary impact of security incidents is decreasing

Currently each company is faced with a potential loss of 110k per year (Worst case scenario). Solutions should be cost effective and long term.

* CSI/FBI COMPUTER CRIME AND SECURITY SURVEY 2008

Expected Loss Per Company

0 €

50.000 €

100.000 €

150.000 €

200.000 €

250.000 €Side Note:

On 2009 report

the number of

incidents raised

together with

financial impact



Risk Analysis Approaches vs Baseline Security

RiskAnalysisApproach

Baseline Security

• Top-Down Approach

• Cost Effective

Security

• Maintenance efforts

(scenario based

approach)

• Bigger Maintenance

efforts (Residual

Risk approach)

• Sunk Costs

• Complexity

• Bottom-Up Approach

• Simplicity• Fast Deployment

• Suitable for SMBsand low CMM

• Effective in

turbulence



The Missing Link Security By Design

• Only effective approach in long term is to complement “security by design” with Top-down approached

• Security by design will create a “Stable equilibrium” with auto correcting properties

• Community should leverage “Security by Design”



“The Security Guerilla” Concept

• The “security guerrila” approach is effective with SMBs

• 80% of common risks are mitigated with 20% controls (Pareto’s principle)

• Pace of change with many SMBs does not have a significant impact

• Very cost effective approach



Open Debate (3 min)

Q: What is security value proposition?



Back to the Basics – Strategic Alignment

• What does it mean alignment ?

• What is your company/customer generic competitive strategy?

• What is your company/customer directional strategies?

• What are the Business Compelling Events– Losing customers to the competition

– Exploiting new market opportunities

– Pressure to reduce cost

– New regulatory requirements

• How does security contributes to it?



Back to the Basics - The Enabler Role

• Security must respond to compelling events and existing strategies

• Risk Analysis should be a tool and Risk Management a good practice

• Certification must be a byproduct of security

• Security must be a byproduct of Business

• Standards are not a religion (many diverge)

• From Strategy to Tactics and Operational: Were is the security plan?



Back to the Basics - The Security Practitioner

• Adopt pragmatic perspectives

• Key role on the “Why” and “When”

• Focus on business, not in security

• Develop negotiation, communication and management skills

• Balance all parts of security

• Acronyms are not security (CISSP, CISM, CISA, ISO LA, etc)

• Adopt out-of-the box thinking



Food for Thought

• Who does better manages security?

– A security Manager

– A General Manager

• Many managers have a great perception of risk (Give me a manager that has ensured positive P&L in a turbulent market or recession)

• Security Practitioners are often to biased ( no thinking out of the box, no systemic view of problems)

• Technically focused people normally have strong technical skills and limited communication or negotiation skills



Some Closing Remarks

• Security , standards and methodologies are many times applied blindly by the community

• No Political, Sociological, Economical or Technological environment is accounted

• As everything, security has trade offs and a break even point

• Not all security is controls, frameworks and methodologies

• Security is more business and less security

• Every time that you fail to properly demonstrate security added value, you are contributing negatively



Were to Go?

• Security must run the “extra mile” to meet business needs in efficient and effective ways

• Security should adapt to environment• Resources in security are sparse. Prioritize them.• For any given option, clearly state the “break even”and the compromises

• Practitioners must bet in soft skills• Switch from worn out and clichémessages • Back to the Plan: A good management practice is to have a plan. Put it in place. Prioritize it, assign resources, deploy, measure results



Discussion

[email protected]

M: +351 968779278

the fallacy of risk analysis (feb 2010)

Documents

cominmarcoraposo free

commercial purposes

raposo marco raposo

standards risk analysis

security implementation

security trends

whymarco raposo

local market marco raposo