Risk Assessment Is Not Guesswork

  • I love Richard Bejtlich’s weblog.  He’s a very intelligent individual and if you aren’t already subscribing to his stuff, you really ought to.  ROI is making the circles of blogdom again, and Richard’s in deep in it (security topics are like airborne viruses – they keep going around and around from person to person until we acquire immunity).

    I know Richard’s read this weblog before, he’s had very nice things to say about us.  So it’s with the utmost respect that I have to say that he’s done very well with the whole ROI meme until we read this:

    As a result, risk assessment is largely guesswork. Guesswork means the savings can be just about anything the security manager chooses to report.

    Risk Analysis, done correctly, is not “guesswork”.

    Now part of the reason he’s wrong is because he’s not using FAIR (grin), but in general (and correct me if I’m wrong, Richard) he seems to be saying:

    “There is uncertainty in risk analysis, so it is not a good expression of value”

    rather than

    “The risk equations I’ve used don’t really seem to mirror reality to me, so risk analysis is not a good expression of value” 

    Let me offer that there is plenty of uncertainty in science (where’s that dadburned electron?), business (what’s the value of this land in 10 years), and in life (am I raising my children right?  Am I driving too fast to make that turn?).  We compensate for uncertainty by making probability statement.  Sometimes this is a gut thing (like swinging a tennis racket), and sometimes it has more rigor – like the use of Bayes Theorem in Nuclear Magnetic Resonance Spectroscopy (Hi Dad!).   The key to making a good probability statement is the framework you’re using. End of story.  If Richard or Donn Parker or whomever want to claim that risk assessment is a charade, then let me suggest that they aren’t really upset with risk assessment – they’re upset with the framework they’ve used.

    Posted on


    1. Richard Bejtlich Jul 16

      Hi Alex,

      I did not intend to open a “second front” by critcizing risk assessment, but since you decided to comment let me ask this question.

      You mention “science.” What hypotheses have you proposed for testing involving risk assessment, and what were the results of your experiments?

    2. roodee Jul 16

      I think that is the point (risk assessments being subjective). The framework has many built in “assumptions”. You can call these axioms, principles or what not, but in the end they are the assumptions you use to derive your probabilities. Your statement, “they’re upset with the framework they’ve used”, is illustrative of this point. The starting point of a given framework contains some degree of subjectivity. Sure a given framework will provide probabilities as output, but how do you determine that this probability corresponds to reality? In short, you cannot. I know everyone knows this already, but we presume that our frameworks are more truth conducive (in the form of delivered probabilities) than others based on the subjective assumptions that we’ve build into them. There is a certain circularity here. This doesn’t mean that risk assessments as such are without utility, but to claim that one can more accurately deliver probabilities with a given framework sounds dubious. So while your *method* of deriving probabilities claims to minimize subjectivity, the construction of the method itself is rife with it. Don’t let a method hide the fact that the output may still be loaded with assumptions (that is code for subjectivity).

    3. Alex Jul 16

      @ Richard

      Note that I used many areas of life, science being one. However, while we’re on the topic – let me answer you and roodee with the following:

      The Bayesian objectivist posits that with the right framework (Jaynes’ Desiderata) any two persons having the same prior information would calculate the same probability. “Such probabilities are not relative to the person but to the epistemic situation, and thus lie somewhere between subjective and objective.”

      Application of Bayes Theorem can be said to be, in and of itself, an implementation of scientific method (bear with me) so in each and every risk analysis – while not science itself, is a hypothesis, to be tested and results gathered (I believe that these would be the ethereal “risk metrics” that the securitymetrics.org mailing list look for every 6 months or so).

      Bayesian probability theory, risk, and scientific method should therefore be inseparably interwoven together by an enterprise, just as they are for any other discipline where they are applied. This is why the framework used in risk analysis is so important, and why, if the current risk = asset*vulnerability*impact/control gives us bogus nonsense, we should chuck it and try to find a framework that mirrors reality more accurately.

      RE: Roodee’s adversion to subjectivity – I think it’s best said thusly about subjectivity, frameworks and probability theory by I.J. Goode:

      “`…the subjectivist states his judgments, whereas the objectivist sweeps them under the carpet by calling assumptions knowledge, and he basks in the glorious objectivity of science.”

      Subjectivity and Objectivity are not binary. There exists a spectrum – and the goal of any framework, probability analysis or not, is to drive us closer and closer towards objectivity.

      As we start down that road towards objectivity (and in probability analysis we can substitute “precise” for “objective” at times) we reach certain milestones. Places like “doesn’t seem right”, “useful”, and “accurate” are all wayposts – points on the map we reach as our framework becomes more and more mature.

      And when you think about it, does this not mirror the history of science itself? The Greek view of the four elements gives way to Newtonian physics which leads us onto quantum mechanics… Each a more accurate view of the mechanics surrounding the world around us.

      If Richard, you or Donn Parker are upset I believe it’s understandable. We, as a profession, are still trying to leave the Air/Wind/Fire/Earth mindset.

    4. Linda Jun 8

      “Risk Analysis, done correctly, is not “guesswork”.” Failing to take proper safety measures could be lethal to employees and financially devastating to owners.

    Leave a reply