Risk Has Got To Have Probability Based on Frequency
Hi there! Happy Friday.
I’m under the weather today, but thought I’d point some things out real quick.
 Shrdlu at Layer8 talks about probability of action and motivation of attackers. It’s great to see probability of action and frequency of action being considered in risk analysis.  Her blog post got me to thinking about something else I saw in my RSS Feeder.
There are some really cool products that are mislabeled as “risk management” products. This mislabeling is one of the factors that cause smart folks (Jaquith and Ranum among them) to claim that “risk management” is dying or dead. Rothman said last week to me that people are becoming “numb” to the term.  DarkNet talks about one such product today. Now the vendor of this product has some really cool stuff, and very respected people I know utilize their technology to feed priors into FAIR. but it’s worth repeating:
- Risk analysis must use frequencies, not just “hey that looks like a bad vulnerability that someone might get to” to determine probability.
- Risk management is not just vulnerability management with risk analysis bolted on for the sake of prioritization.
Again, these are typically really great products for what they do. I’m not saying don’t buy the product - I think if you have the resources, you should really consider their stuff.  I’ve heard that the specific product mentioned in the DN article is crescent fresh.
It’s just that the companies that make these products feel like they have to do the Gartner Magic Quadrant Dance in order to raise more capital and/or be acquired, which is a shame. Their use of these terms incorrectly turns off the more sophisticated of us while fooling the unsophisticated in to thinking their actually doing something that they most certainly are not.
rybolov May 25
The term “risk management” has been abused by people who have taken vulnerability scanning or technical policy compliance products, attached some kind of workflow/ticketing system to them, and dubbed them “risk management”.
You do true risk management every day when you decide to cross a busy street at a crosswalk with a stoplight. It’s not that hard.
LonerVamp May 25
Not really related, but what I think sucks about “risk management” as a term (buzzword?) these days is how many of us naturally do risk management every day. We even do them irregularly such as with a pen-test or decision to do patch management or something. We do them naturally and some of us are quite accurate, practical, and efficient.
The hard part is when we have to put those ephemeral decisions into some numbers and graphs and comparisons for the business side
Or convey your through process so underlings (err, less experienced people) can emulate it?
Alex Hutton May 25
LV-
Oh, I think it’s absolutely related. One thing products in this quadrant do is put a bunch of data in front of a decision maker - “See, we can’t do our job, and so here’s how an attacker can get in!” Which is inevitably followed up with “So give me more money.”
In the meantime, the business owner is doing his own risk analysis (as you mention) - sometimes you win, sometimes you lose. The beauty of real, defensible risk analysis that includes frequency and loss and therefore takes that expertise out of the hands of the “business side” - they make decisions based on your priors, not theirs.