Security Risk? What Do You Mean, Risk?

Over the past few weeks, I’ve spent quite a bit of time ”down in the weeds” "analyzing breaches, assisting with incident response efforts and sifting through large amounts of data. So, rather than blogging about some new breach, vulnerability, malware threat or the value of planning for them, I want to take a step back and look at the bigger picture.

While down in the weeds, I started to wonder, what sort of patterns or trends might be emerging in the threat landscape. After some thought, I considered how serious these problems were in relation to each other.

Then I wondered, what might be the next issue around the corner? This is always a very tricky subject, and I asked myself, “What if we as a society are wrong? What if in our anticipation of upcoming threats our preparations are too specific? How ready would we be to adapt to those circumstances as they change?” That’s when it dawned on me. A common concept, but is too often overlooked, became apparent – risk.

Threats have been hard to miss with all the recent media coverage. The mass media loves a good threat story. It gives them a chance to worry people who may not have a grasp on whether or not the threat in question will affect them.

While much is made about threats, I noticed the notion of risk has always been present but is rarely discussed. Threats and vulnerabilities seem to capture a lot of attention, however, risk is the third component that links the two together. I considered why that might be and realized that conversations addressing risk are simply not part of our dialog.

Maybe it’s not a mainstream topic because risk is not as tangible as receiving information about a software vulnerability or reading about an alert of someone trying to, or having already broken into a network. It probably doesn’t help that a lot of the literature about risk is dependent on having a significant amount of data that is neatly parceled and boiled down into some not-so-intuitive and possibly not-so-helpful arbitrary number. For some reason, that seems to make sense to me.

In all the conversations I’ve had over the past month regarding incident response or some of the topics discussed here, none of them included topics like percentages, probability or estimated rate-of-occurrence. The result was apparent. It did happen. No question about it.

Yet, without all the jargon, options were still being considered, variables were being weighed and decisions were being made. In short, things were getting done. This realization was somewhat reassuring, but I could not help but consider what might have been prevented if the right information had been provided at the appropriate time, with the suitable amount of detail and had been presented in an efficient manner.

How could improved contextual and situational awareness have been provided, and to whom, in order for these situations to have been prevented in the first place?

Hindsight having the benefit of 20/20 vision, it seems clear to me that many issues could have been prevented with even a little worry about the organization’s associated risk. Yet I wonder. What decisions are being made, what actions are being taken right now that will impact next month’s news?

What could be prevented if we simply added risk as a topic of our normal discourse? If much about risk is common sense, but yet is not part of normal dialog, maybe we need to change the way we think about risk so it is more relevant.