In Anton Chuvakin’s 2007 predictions, he addresses a subject dear to our hearts. He predicts:

Risk management: a confusion about what is "risk management" will not subside this year. Business risk? Information risk? Risk as threat x vulnerability x asset? Risk as probability of loss? Arrrghh! - It goes on and on and on. No standard accepted definition of risk management in the field of infosec will emerge.

As much as it pains me to say, I agree with him; as an industry we’re at least several months (hopefully not more than 12) away from having a clue as to what "risk management" means to the average information risk practice. He’s right, and in my view we find ourselves in this state for a couple of reasons.

The Bad News

First, there’s all sorts of misnomers about what risk management is. For example, there’s a nice article on Dark Reading about how Tipping Point is getting together with DDI to "measure risk". Again, that’s as maybe, but it’s not risk management (and one might argue that like other "risk from a box" solutions, it’s not even measuring risk).

I’ve also already mentioned how risk management isn’t sprinkling probability dust on a vulnerability management cycle. Nor is risk management the collection of asset-based probability and impact on C, I and A for everything with an IP address under your control once every 18 months. No, risk management is "how you use risk to manage". "How you manage" includes answers to "how/when/where/why" you measure risk.

And there’s the problem, the "how/when/where/why." Jack put the following together in one of RMI’s marketing efforts, but I think it explains current state succinctly:

• Effective risk management depends upon consistently making well-informed decisions. but….
• Well-informed decisions depend on useful, accurate information but….
• Useful, accurate information depends on a solid understanding of risk issues and available solutions but….
• A solid understanding of risk issue and available solutions depend on a framework for thorough, consistent analysis but….
• A framework for thorough, consistent analysis depends on a clear and logical understanding of risk elements and factors but….
• A clear and logical understanding of risk elements and factors depend on a foundational taxonomy of risk and risk management

Bottom line – without a foundational risk taxonomy, the rest isn’t possible. Without a framework, without the logical understanding of risk elements and factors, without being able to solidly understand risk issues - the "how/when/where/why" questions of measuring risk will never be answered. And if we can’t answer these questions on how to measure risk, we’ll never be able to manage by using risk, and thus, we’ll never have true "risk management" as I think Anton (and Andrew Jaquith and others I’ve talked to) believe it can be.

The Good news

This is why RMI has given up the FAIR patent, it’s why we’re releasing it under the Creative Commons license, and why we’re spending precious, precious start up cash on interfacing with the Open Group and telling people about FAIR. Hopefully together, we can make a standard for risk measurement, and a process definition for risk management.

Posted on January 31