Brief discussion on being understood vs. the perfect risk analysis over on Chandler’s blog and Emergent Chaos. This mirrors a current conversation on the Securitymetrics.org mailing list (note to Chandler, don’t just tease us - write about your approaches -  it would be a much better read than Yet Another NAC Article).

So Dear Readers, Is the perfect analysis critical, or, would you rather be understood by business owners?

Before we default to “understood”, let me say that it depends on what you’re trying to do!  There are times when an analyst needs only explain the risk in a succinct manner (elevator pitch, if you will) to the CSO (or the CSO to the business owners).  There are other times, in audit/compliance situations for example, when a rigourous analysis is necessary.

One of the nice things about a risk framework like FAIR is that once you understand risk and it’s component factors - you can be as rigorous or as superficial as you’d like.  The FAIR Basic Risk Assessment Guide (BRAG) available for free download uses a qualitative expression and a matrix approach in determination.  IRMA, RMI’s software product, uses object modeling from complexity science, monte carlo methods and so forth to provide a more sophisticated quantitative analysis.  At the end of the day, they’re both using the same framework - but operating at different levels of abstraction, if you will.   Understanding the framework for risk drives objectivity into the analysis and builds consistency regardless of how in depth you get.

So the key here isn’t necessarily the approach, as it is having a framework within which to be consistent and defensible. A framework that offers the best of both worlds.

Posted on February 16