Tuesday, July 1, 2014

Time for InfoSec to Use the Right Definition of Risk

Information Security professionals commonly define risk in one of two ways:
  • The expected loss over a given period of time
  • Risk = threat * vulnerability * impact
Compare this to the way risk is explained in Wikipedia. "Risk is the potential of losing something of value, weighed against the potential to gain something of value." It is the old adage "nothing ventured, nothing gained." Andy Ellis, the CSO of Akamai Technologies, describes it this way. "Our businesses are in the business of taking risks. That's what we do for a living. We spend money in hopes of making more money." 

Do you see the problem with the InfoSec risk definition? InfoSec risk is focused on loss - analyzing and minimizing bad outcomes. Real risk is focused on the difference between expected gain and the expected loss. Too often Information Security minimizes bad outcome potential to the extent that it causes greater harm to the gain potential.  Have you heard this before? "We can't move to the cloud. Too many unknowns. Too risky." I've heard the same said about SaaS, outsourcing, mobile applications, employee mobility, web services.  Really? Were these the same people who said that we can't use email a couple decades ago or that we can't offer online banking?

If Information Security truly internalized a new risk definition that properly balanced the loss potential and the gain potential, we would be more effective in supporting our businesses. Maybe it would cause us to shift to being enablers of rapid adoption of better / faster / cheaper business technology models. Yes, there is profit to be made by properly reducing loss potential. There is also profit to be made on maximizing upside potential. Let's be a proper voice for that equation. If we do, then we'll probably see ourselves march in to some unknowns faster and probably see some traditionally moderate and high residual risk systems go in to production because the gain possibility is so great. 

So lets adopt the wikipedia risk definition. Besides, it is what everyone else is using anyway.
"Risk is the potential of losing something of value, weighed against the potential to gain something of value."
And hey, who wants to work at a shop that doesn't run email or a web site anyway?

BTW - I took the risk of jumping off a cliff into the Pacific Ocean today and the reward was great.