For years, professionals of the information security industry have been advising and using risk-based approaches to securing organisations and their information assets. This has been the received wisdom for so long that this is now encompassed in industry standards, such as ISO 27001, FIPS 200, etc. This seems to make sense – there is no point in spending money implementing mitigations where there is unlikely to be any risk. However, is this the right approach?
A paper published in November 2010, Understanding and Managing Risk in Security Systems for the DOE Nuclear Weapons Complex , may have some new insights into the problem. Although the research performed was based around physical security, and nuclear weapons, the approach taken was remarkably similar to that taken by the information security industry: Probability-based Risk Assessment as the basis of security design. The recommendations were stark:
The committee advises against the use of probabilistic risk assessment (PRA) in designing security for the DOE nuclear weapons complex at this time.
The problems with using probability to model security include:
• To prepare a risk assessment correctly, the assumption is made that the likelihood or impact of an event (or threat occurrence) happening in the past can be used to predict the likelihood or impact of the event in the future. This requires that there is a statistically valid history of such events is available for such analysis. As no two organisations have exactly the same exposure to threats, or the same impacts resulting from those threat occurrences (events), it is impossible to build such a history that is statistically valid. Consequently, likelihood and impact are subjectivity compiled by analysts and the stakeholders providing input.
• Such risk models break down for the boundary state of low likelihood and high impact. By definition, low likelihood events occur so infrequently that they do not occur often enough for their likelihood to be predicted accurately, and their impact be objectively predicted. The ratings from a risk assessment in these cases often lead to weak mitigations that do not protect the organisation when such an event occurs.
• Risk assessments assume that each event occurs singularly. The impact of several low likelihood and low impact events occurring within a very short or the same time is not examined. However, the impact of such event together may be greater than their sum, and become a major impact to the organisation.
• Probability-based risk assessments do not work for malicious environments. An attacker is looking for weaknesses, and is not going to avoid attacking a weakness because the likelihood of the event occurring is assessed by an organisation as low. Consequently, the attacker is able to “manipulate” likelihood ratings to benefit the success of the attack.
Brian Snow, the ex-technical director of information assurance for the National Security Agency in the US, was on the report’s committee. He expanded on the findings of the report for the information security industry in an interview on . He stated, “The bad guy does not act on probability, he acts on intent”
However, let us not throw the baby out with the bathwater. ISO 31010:2009, the international standard for risk assessments techniques does have some validity in its approach, even if we are no longer interested in the final “risk result”. The standard calls for a tight scoping of the area under examination (called “context” in the standard). It also requires that the risks are clearly identified through a formal methodology.
These two steps allow the analyst to start thinking as an attacker: what is available to attack, and how can I do it? Once this threat-based analysis approach is taken, an organisation has a chance to appropriately defend against malicious attack.
Neither should we throw out the formal governance around information security. The ISO 27001 requirement for an Information Security Management System (ISMS), a framework of documents and procedures to define and continuously improve the security posture of an organisation is always going to be important. The inputs of the governance processes should be adjusted from risk assessment to threat based analysis.
Charles Wale CISSP, CISA, CRISC, QSA is a freelance information security consultant with 15 years’ experience in the industry. He is a Director of Lee Douglas & Associates.
Read more industry opinion pieces: