The art and science of risk management

A new survey from Tripwire explores whether risk management is more science, or art.

Computers, networks, and information security seem to fall comfortably under the heading of science, but science alone is not enough. Security system developer Tripwire recently conducted a survey in cooperation with the Ponemon Institute to find out whether IT professionals consider risk management to be "science" or "art."

Ponemon surveyed 1,320 respondents across the United States and the United Kingdom: IT professionals working in information security, risk management, IT operations, business operations, and compliance. Participants were asked, "In your opinion, is information security risk management an 'art' or 'science'?"

Ponemon defined the two concepts for the purposes of the survey. "Science" means basing decisions on objective, quantifiable metrics and data. "Art" refers to analysis and decisions that are based on intuition, expertise, and a holistic view of the organization.

Two-thirds of those from IT and enterprise risk management or business operations sided with "art," while nearly two-thirds of the respondents who work in IT security and IT operations chose "science."

Tripwire CTO Dwayne Melancon weighed in with some thoughts on the results. His take is that those who work in business operations and risk management generally don't believe a precise answer is necessary in order to make a decision, so they favor art. Those who work in IT operations and security, on the other hand, view the world of risk management as a math problem with a specific answer, so they see it as a "science".

Melancon explains that the disparity between art and science is the crux of the problem when it comes to managing risk effectively. "People with these viewpoints are talking about the same thing, but they are using very different language, which can make it difficult to come to a mutually agreed point of view."

The simple reality is that risk management is both an art and a science. Computers are precision instruments that operate purely on ones and zeros. Computers--how they work, how they can be attacked, and how you manage risk and protect them--are devices that function based on science. But there is also a human factor--both in terms of the attackers and the victims--that adds an element of unpredictability, mixing intuition and art with the science.

Attackers are adept at exploiting the human factor to bypass security controls. Effective risk management depends on having the right tools in place--the science--while also having the big picture in mind, and understanding that the user is generally the weakest link in the security chain--the art.

Join the CSO newsletter!

Error: Please check your email address.

Tags IT prossecurityPonemon InstituteIT managementbusiness security

More about Tripwire

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Tony Bradley

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts