How many of these risk assessment myths do you believe? David Lacey’s blog post suggests that there are probably a good number of security practitioners in the world still apply risk assessment in a non-intuitive way. To help clear the air and provide a bit of a public service, Lacey list six myths that he runs into quite often and can dispel:
- Risk assessment is objective and repeatable
- Security controls should be determined by a risk assessment
- Risk assessments should be focused on assets
- Risk assessment prevents you spending too much money on security
- Risk assessment encourages enterprises to implement security
- We should aspire to build a “risk culture” across our enterprises
The first of these myths,”risk assessment is objective and repeatable”, is simply not so, according to the post: assessments are made (generally speaking) by people who are using incomplete data. These people have varying knowledge and opinions. If all assessments seem to be coming back with the same results, Lacey suggests you investigate further. Another myth is that “risk assessment prevents you from spending too much money on security.” This, too, is not correct: Not in practice. Aside from one or two areas in the military field where ridiculous amounts of money were spent on unnecessary high end solutions (and they always followed a risk assessment), I’ve never encountered an information system that had too much security. In fact the only area I’ve seen excessive spending on security is on the risk assessment itself. Good security professionals have a natural instinct on where to spend the money. Non-professionals lack the knowledge to conduct an effective risk assessment. The final myth Lacey addresses is that organizations should aspire to build a “risk culture.”He sees this as a dangerous move, as it puts the whole organization on edge and potentially freezes them when it comes to taking any risky but rewarding action. Taking risks within safe limits is a healthy and productive way of moving an organization forward, but drawing so much focus on risk can ultimately doom a company.