per spective

what’s in a word?

2013-05-08T15:13:00.003+02:00

Talking about risk is difficult. One reason is that we use the same term differently in different contexts.

Technically, risk can be seen as the quantified potential consequences of uncertainty. Such consequences can be good or bad, with respect to our objectives. After all, doing business is about taking risk. An investor will have a certain appetite for risk.

In everyday life, we talk about the risk for rain and we’re not referring to potential consequences as much as the likelihood that it will, in fact, rain.

Both interpretations are fine, as long as we recognize the difference.

What’s in a word?

risk center

2013-04-17T18:24:00.000+02:00

How do we understand or construct risk?

What happens when a museum becomes a site-specific risk assessment facility and performance space? The Swedish Museum of Architecture in Stockholm lets British designer Onkar Kular create an interactive space where the visitor gets a nudge to start thinking personal safety. The venue is primarily aimed at children and I would love to be a fly on the wall when they make their way through ten different scenarios.

Say, doesn’t that staircase look frightfully steep?

Å.R.E. (3)

2013-03-14T21:17:00.001+01:00

A few notes on context analysis and Design thinking from the final day of Åre Risk Event.

An approach for context analysis in managing risk:
Your objectives?
The "local" history?
Your position in place/time?
The views of those around you?

Crisis Management (or Risk Mgmt?) as a Design activity.
In a fluent/ambiguous situation, Design thinking can bridge the gap between predefined templates for action (the rule-book) and an open, emergent approach. Reshaping concepts as we go: Could we judge water quality in terms of 'safe' when 'clean' has become unrealistic?

Å.R.E. (2)

2013-03-13T22:23:00.001+01:00

My impressions from day 2 of Åre Risk Event.

Environmental regulations based on hazard classification as opposed to risk-based (considering dose, exposure) are irrational.

Before a crisis, build trust through 'soft' factors. Watch out for excessive trust e.g. groupthink.

Meet a crisis with flexible, loosely coupled, emergent mgmt structures. Bureaucracy is not the answer!

People have a potential to self-organize.

A common information architecture for gov't agencies will not happen on a voluntary basis.

Å.R.E.

2013-03-12T23:17:00.001+01:00

Day 1 of this year's Åre Risk Event. My personal key take-aways.

Accidents will happen. Social science holds the answer.
Making cities resilient. Disasters are not 'natural'.
Build back better. Guidelines for reconstruction.
Revisit Maslow in the face of existential risk. Courageous individuals with visions.
Bring educators, practitioners and researchers together.

Local readiness, national platforms, UN directives.

Lots of activity in the public sector. How do we define and measure effectiveness?

mind those bookmarks

2013-03-03T19:58:00.000+01:00

So, how does one maintain a Delicious bookmarks collection?

I'm pretty sure it will involve more than just creating additional bookmarks and hoping the old links still work...

A few years old and at 144 links it's no longer rudimentary enough to ignore. Apparently, I've managed to use well over a hundred tags, a ridiculously detailed level. This in itself would justify a mild make-over.

And no, free-text web searching would not do the trick. I find my bookmarks useful. Your mileage may vary.

do you accept?

2013-03-01T07:01:00.000+01:00

The easiest way to treat a risk is not to.

Risk acceptance is perfectly reasonable in many cases where it would be too expensive or even impossible to mitigate a risk. Exposing a system to the Internet carries substantial risk and yet we do so because that's where potential customers are.

Who has the authority to accept risk? It's down to policy, ownership of systems and ultimately management structures.

Risk acceptance should be a conscious, documented decision and not just lack of action.

on intersubjectivity

2013-02-14T17:38:00.001+01:00

We cannot measure information risk. Not in monetary terms, not on any quantitative scale.

We can (and must) assess risk through lenses available, but to achieve business relevance we need an element of intersubjectivity. A metric shouldn't depend on what individuals happen to be involved.

Therefore, we need methods based on a common understanding of basic concepts. We could take a vote on what constitutes a "threat" but the fact that we need to take a vote is a reflection of low industry maturity.

objective it isn't

2013-02-05T19:42:00.000+01:00

With all its deficiencies - biases, incompleteness and errors - a systematic SRA is our best hope for tackling security risk.

If we document what perspectives are represented, how risk is constructed from components, how likelihood is quantified - if the SRA is transparent - the reader will know how to use it, what to trust and what to improve.

When I as your assessor do my level best with adequate resources and you as system owner trust me, we can get a lot done. Just don't call it objectivity.

the impeccable historical record

2012-11-01T07:01:00.000+01:00

Risk should be objectively quantified.

A quantified risk level guides decision makers in prioritizing how to spend wisely in treating risks. If applied information security is to be realized cost-effectively, the risk level is our tool. It is derived by estimating the risk event in terms of its probability and impact - ideally in monetary terms.

Objectivity in risk quantification requires historical data as a foundation for event likelihood plus a thorough understanding of its business impact.

talking straight

2012-10-01T07:01:00.000+02:00

Risk should be objectively described.

If a risk isn't clearly described, it simply isn't understood and will not be effectively treated.

Poor risk descriptions all but ensure that valuable insight from the SRA never reaches the right ears.

Objectivity in risk description requires pedagogy, language skills and sufficient boldness to communicate in no uncertain terms so that all stakeholders will understand the risk - through its interrelated components - the same way we did when constructing it.

infinite expertise with zero bias

2012-09-02T18:15:00.001+02:00

Risk should be objectively identified.

This implies establishing timing and scope in such a way that best supports the decision situation which triggered this SRA.

We must also capture the most important risk components and successfully construct combinations which constitute the most relevant risks within scope.

Objectivity in risk identification requires complete knowledge of our system as well as existing threat sources and vulnerabilities plus unlimited creativity and a total lack of bias.

objectivity, anyone?

2012-08-19T19:24:00.001+02:00

Objectivity implies a guarantee against bias, intentional or accidental. Emotions or prejudices must be controlled. Objectivity means presenting a just view of the world as it really is.

If a Security Risk Assessment (SRA) is to be objective, three conditions must be met.

Risk should be objectively identified.

Risk should be objectively described.

Risk should be objectively quantified.

All three conditions must be met, or the SRA will not constitute an objective statement about security risk.

objectively yours

2012-07-14T09:49:00.001+02:00

We like to think of Security Risk Management as an objective practice. After all - if stakeholders are expected to foot the bill for mitigating risk, they will want to base such a decision on solid ground. They need facts, don't they?

Hold it right there.

What is a fact about risk? Risk concerns potential future events. What facts do we have about the future? That's right. None, whatsoever.

So, in the absence of facts - what can we offer? Is there such a thing as an objective risk assessment?

the importance of risk awareness

2012-04-27T20:24:00.001+02:00

Feeling secure is not the same as being secure. Both are desirable objectives and they're somehow related. But one does not necessarily follow from the other.

In many cases, my 'being secure' depends on my being cautious. If I'm risk-aware, I will avoid actions which could increase my vulnerability. In a way, I will be more secure partly because I don't feel secure.

So, what happens when a system successfully makes a user feel secure? How does that affect her vulnerability, her 'being secure'?

that old narrow path

2012-04-23T20:40:00.001+02:00

Organizations want to (appear to) be ethical, thus avoiding bad publicity. 3 problems with this (semi-)noble goal.

There is no universal ethics, no standard for right and wrong.

Ethics cannot be imposed by decree. Proclaiming common values does not make common values. Management sets the tone but it's down to the integrity of co-workers.

Ethics is not about publicity. It's about doing right when there are no witnesses and I could get away with anything. Ethics begins with you and me, here and now.

yet another bad day for heroes

2012-04-22T22:25:00.002+02:00

When everything goes wrong, a hero saves the day in the face of looming disaster.

In some places there seems to be an awful lot of days when all goes wrong. Enter objectives, roles and processes. All frightfully boring concepts but they lend an air of predictability to an enterprise. With less chaos and fewer surprises, we can get a grip on risk and this is basically what it takes for a business to grow up.

So, in that sense there's no place for heroes in the culture of a mature organization.

Enterprise Miracle Management

2011-09-28T21:14:00.000+02:00

Can't Enterprise Risk Management guarantee against failure?

It's like asking why there are still fires now that we've hired firefighters. ERM could use a good portion of expectation management. If someone believes that nothing could ever go wrong since we have an ERM function, they need a reality check.

Not all existing risk will be discovered.
Not all discovered risk will be mitigated.
Not all mitigated risk will be eliminated.

Be sure to equip your firefighters but don't go expecting miracles.

Read more about Risk Management Failures at Sonia Jaspal's RiskBoard.

guided by risk

2011-09-14T07:14:00.023+02:00

How is the risk paradigm relevant during a breach?

If the breach relates to risks previously documented, we know risk level, vulnerabilities and assets involved. Incident Management is also informed in another way. We will have to pick strategies for containment and recovery. Each strategy carries risk. How do we choose? By swiftly assessing risk. (The incident doesn't wait.)

So - just like incidents inform future risk management, impromptu risk assessments can guide ongoing incident handling.

a useless paradigm?

2011-09-07T11:10:00.002+02:00

Some argue that risk is a useless paradigm when a breach has occurred. It is happening, probability 100%, why theorize further?

To me, this analysis is surprisingly shallow.

Being under attack is not a binary thing, it is not about an enterprise losing its virginity once and for all. Sure, we must deal urgently with the current incident. But there's a host of potential events awaiting tomorrow which need to be foreseen and prevented.

Today's incident enlightens us in assessing current risk.

creativity is key

2011-08-20T23:55:00.001+02:00

Why all this fuss about creativity? From a systems perspective, creativity is important for two reasons.

Partly because of disruptive change. When change occurs, we need new ways to look upon ourselves. These can't be found in school books.

Partly because of complexity. Even if our environment was perfectly stable, we need to frame existing complexity - making it understandable, controllable.

So, creativity is key. That said, ideas are not enough. Someone will still have to be implementing them!

Read more about Creativity@Risk at Sonia Jaspal's RiskBoard.

motivated we stand

2011-07-20T21:56:00.002+02:00

In order to limit (hopefully avoid) InfoSec risk, we use controls. These can be technical or administrative.

Either way, they will involve humans who need to understand and accept the controls. In general, we may require people to wear seatbelts, pick complex passwords or quit smoking at work. Co-workers will find ways to circumvent controls that they’re not motivated to accept.

Any technocrat can pick the strongest control. A wise leader will consult and motivate his team before implementing it.

Read more about employee disengagement at Sonia Jaspal's RiskBoard.

learning from incidents

2011-07-09T20:27:00.002+02:00

In Infosec, there are risks (what could happen) and incidents (what has happened).

We deal with risks proactively by asking questions. Identify, describe, quantify and so on. We treat the risks, hopefully avoid them.

Incidents call for a reactive posture. How can we recover?

A mature organization prefers to be proactive as opposed to reactive. One way is to interconnect the two approaches. Analyze your incident history so that recurring issues can be addressed. Don't forget that rear mirror.

Read more about distinguishing between risk and issue at The Innovation of Risk.

future in the rear mirror

2011-06-29T21:20:00.001+02:00

Security risk is uncertainty about undesirable future events, a lack of control. To reduce uncertainty, we'd need a way to look into the future. And we can.

Having identified threat sources and vulnerabilities relevant to our assets, we construct risk by formulating realistic events. Neither objective nor scientific, it does provide a crystal ball of sorts.

Also, what has already happened? History is an indicator of what might happen. Spotting the future in the rear mirror could be our best option.

the risk you wouldn't want

2011-06-19T19:41:00.002+02:00

There are different kinds of risk. Some are desirable. Doing business means taking risk to make money. The risk appetite will vary between companies and over time.

Other risks represent things going wrong in a company's everyday activities. We call them operational. You won't have an appetite for them. Instead, we talk of risk tolerance. When do you decide to close a factory, do things differently to avoid the potential cost? Operational risks are risks you don't want. Infosec risks among them.