Why Risk Management Doesn't Work

Two new studies challenge current wisdom about calculating an enterprise's security risk -- and recommend rethinking the process

Tim Wilson, Editor in Chief, Dark Reading, Contributor

October 2, 2008

4 Min Read

Two reports published in the last two days are challenging conventional wisdom about how to calculate enterprise security risk --and recommending new evaluations that account for industry-specific threats and potential rewards.

Verizon today issued a supplement to the data breach report it published earlier this year. (See Verizon Study Links External Hacks to Internal Mistakes.) The report, which compares risk factors in six different vertical industries based on actual forensic breach investigations in those industries, indicates that the likelihood of specific types of attacks varies radically from industry to industry.

In a separate report, RSA's Security for Business Innovation Council recommends a new process for calculating enterprise risk that more accurately weighs business rewards against potential security threats.

The Verizon report is a collective analysis of some 530 forensic investigations of data breaches that the company has done in large enterprises. It breaks down the causes of the breaches by industry and draws conclusions about the most common types of attacks committed in each.

The report concludes that the likelihood of a specific type of attack varies radically from industry to industry. In financial services, for example, Verizon investigated many sophisticated attacks involving cooperation of insiders and organized outsiders, as well as social engineering. The likelihood of internal, external, or "partner attacks all ranged between 38 percent and 56 percent.

In the food and beverage industry, on the other hand, the attacks were much less sophisticated, and the likelihood of internal attacks was only about 4 percent, while the likelihood of external and partner attacks was 70 percent to 80 percent.

"The attacks in financial services were very innovative and sophisticated," says Bryan Sartin, one of the authors of the Verizon report. "In food and beverage, though, we saw a lot more repeatable, data-compromise-in-a-box sort of attacks -- sort of the way... criminals once discovered that if you bump a certain type of cash register in a certain way, the drawer will open."

Verizon found similar differences in the sophistication and approaches used to attack data in other industries, including retail and high technology. Retail, for example, reported the highest number of breach incidents, but a relatively low level of attack sophistication. High tech, due to the the technical savvy of its employees, generated a higher likelihood of insider threat than any other industry in the study.

What these results might mean, Sartin says, is that employing a generic risk calculation, such as the likelihood of insider threats, may be a mistake unless industry-specific factors are accounted for. Although there are many studies and calculators that discuss trends in security attacks, very few of them break their data down by industry, and that breakdown may be crucial to accurately calculating risk in a particular enterprise, he suggests.

While the Verizon study highlights the need for an industry-specific focus on risk calculation, RSA's Security for Business Innovation Council, a group of CSOs and other security experts, yesterday also published a paper that recommends rethinking current calculations of risk.

In its report, the RSA council "explores why legacy methods of evaluating information security risk don't work in today's connected world, in which any new business innovation inherently carries some level of risk to information." The study calls for a new method of calculating risk that focuses less on IT security-specific issues and more on business issues.

In essence, the paper observes that current risk management models focus largely on the risks associated with security breaches and the costs of mitigating them. However such risk calculations often fail to take into account the potential business benefits of adding new Web- or network-based capabilities -- they focus too heavily on risk and not enough on reward, the paper says.

The paper suggests a new risk-management process in which each IT-related initiative would go through "reward calculation" before undergoing assessment by the business and IT organizations to evaluate risk.

The idea is to create additional interplay between the business side and the technical side, so that both understand the potential risks and rewards before making a decision on how to proceed. The paper even outlines a resolution process when the two sides can't agree on the risk/reward debate, and recommends the formation of an "enterprise risk council" that includes representatives from all over the business.

"Any new business innovation inherently carries its own risk/reward equation," the paper says. "If security teams look only at 'mitigating risk,' without enough focus on the reward, they can end up erecting barriers to innovation. There is a need to fundamentally shift perspectives."

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

About the Author(s)

Tim Wilson, Editor in Chief, Dark Reading


Tim Wilson is Editor in Chief and co-founder of Dark Reading.com, UBM Tech's online community for information security professionals. He is responsible for managing the site, assigning and editing content, and writing breaking news stories. Wilson has been recognized as one of the top cyber security journalists in the US in voting among his peers, conducted by the SANS Institute. In 2011 he was named one of the 50 Most Powerful Voices in Security by SYS-CON Media.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights