I love Richard Bejtlich’s weblog. He’s a very intelligent individual and if you aren’t already subscribing to his stuff, you really ought to. ROI is making the circles of blogdom again, and Richard’s in deep in it (security topics are like airborne viruses – they keep going around and around from person to person until we acquire immunity).
I know Richard’s read this weblog before, he’s had very nice things to say about us. So it’s with the utmost respect that I have to say that he’s done very well with the whole ROI meme until we read this:
As a result, risk assessment is largely guesswork. Guesswork means the savings can be just about anything the security manager chooses to report.
Risk Analysis, done correctly, is not “guesswork”.
Now part of the reason he’s wrong is because he’s not using FAIR (grin), but in general (and correct me if I’m wrong, Richard) he seems to be saying:
“There is uncertainty in risk analysis, so it is not a good expression of value”
“The risk equations I’ve used don’t really seem to mirror reality to me, so risk analysis is not a good expression of value”
Let me offer that there is plenty of uncertainty in science (where’s that dadburned electron?), business (what’s the value of this land in 10 years), and in life (am I raising my children right? Am I driving too fast to make that turn?). We compensate for uncertainty by making probability statement. Sometimes this is a gut thing (like swinging a tennis racket), and sometimes it has more rigor – like the use of Bayes Theorem in Nuclear Magnetic Resonance Spectroscopy (Hi Dad!). The key to making a good probability statement is the framework you’re using. End of story. If Richard or Donn Parker or whomever want to claim that risk assessment is a charade, then let me suggest that they aren’t really upset with risk assessment – they’re upset with the framework they’ve used.