This post was lost in the site upgrade and was originally posted by Alex Hutton. Sorry.

Risk assessment, imho, does not truly solve any problems except as a subset of the large picture called risk management. A risk assessment of my house may find my windows are unlocked, but that is of no benefit to me unless I then lock them and devise a plan to make sure they stay locked. As a result, I don't see to many organizations with a "risk assessment" team that is not really just part of their risk management effort. Risk management DOES have the potential to provide ROI because it goes a step beyond risk assessment and actually gets into resolving the security issues uncovered in the risk assessment phase. How much of a return depends on the business involved and the circumstances.

Take a software firm that makes money management software. If they do proper risk assessments and create a very secure piece of software they generally will ONLY see an ROI if their competitor does not and gets hammered by a security hole. Even then, they still only get an ROI if the customers abandon the weak product in favor of their strong one. That kind of ROI is just not something bean-counters truly believe in so you do not see a lot of software companies doing thorough risk assessments. On-the-other-hand take financial institutions. They do risk assessments all the time because they KNOW they will be attacked and they know if their security is breached, they will lose money. Further, the more secure they are seen versus their competitors the more customers they will gain, which makes risk management even MORE valuable to them. They may not be able to quantify the EXACT ROI, but there is no doubt they do benefit from risk assessments and risk management.

 In short, I do not think risk assessment really does solve anything. Risk management, however, does.

I would have to agree, tthomas.  It does not solve problems as much as identify them.  It is a step in or component of a Risk Management process/program.

An organization has to take the first step to define its objectives and the roadblocks to those objectives.  Then to help define an ROI on the objectives you can use Risk Management to identify risks (i.e., roadblocks), what it will take to overcome them (i.e., mitigation steps), and if it's worth achieving.

Result: Business decision based on an understand of the organization's risk profile. 

tthomas:

Risk assessment, imho, does not truly solve any problems except as a subset of the large picture called risk management.

Nice.

Now knowing Mr Curphey, he was throwing out a slow-moving fastball for you to hit out of the park. =)

However, I agree with you.  Without the response to a threat/vulnerability/risk troika that the term "risk management" implies, all you are doing is CYA or whining.  Nobody likes a whiner, they like people with a solution.

One of the reasons that we have risk management as a focus group is because it makes sense if you know what you are doing security-wise--in a sense, all security is risk management, it's this tasty little hub at the center of everything.

My guess is most people approach risk assessment because it is a requirement for a compliance framework that they happen to be using (7799, NIST, PCI, etc) and the first question is "This seems pretty overblown, how do I do this easily?"

Thanks for the back handed compliment. At least thats the way I am taking it. I am British and so it would be a bowl and not a pitch anyway.

The Risk Management was intentional as you said. Earl and others rightly kept coming back to the thought we should include what to do with risk items. I was trying to get us to bite off a smaller chuck of the pie to complete as RM is obviously a big topic. That said hopefully when we get the RA bit complete (and I think its close) the other things can all line up. A good community guide to RA with a bunch of supporting real world things (the Guerilla toolkit) would be superbly useful.

rybolov:

all security is risk management, it's this tasty little hub at the center of everything.

Security is the center of the universe.  Risk management is so close that it's just hard to tell the difference sometimes. ;) 

Hello to all, I just wanted to jump in with my point of view. Most organisations think they have a kind of risk management. But what they really do is patchwork. They somehow discover new threads, decide with some gut instinct what to do and by some technology, whensoever they get the budget. When asked about their methodology, they have none or a non consistent one. Another person in the company would come to another solution, because of another gut instinct or probably because of a worse ability to raise budgets. After conducting a risk assessment most security responsibles see the big picture for their first time. To jump into their defence, most german security responsibles are not doing this as a full time job, they have a lot of other responsibilities too. As you may sense already, I'm not talking about the top 500 companies, but about the majority of companies in the world, the SMU's. And here is the benefit of risk assessment: Now they know where to invest first in security, and they have a tool to raise budgets from their managers. If you manage to buy in the owner-manager or some other director during the risk assessment phase, the doors for accomplishing real risk management are wide open. What security officers realy need is a practicable risk assessment methodology and not a book, breathed on with some scientifics and teaching them how to calculate statistics and probability. With kind regards Holger Reichert

Holger

I think you are spot on. Its also somewhat concering when the big security vendors are now all touting risk management products. My big vendors I include IBM, McAfee, Symantec etc. A vulnerbaility scanner is not a risk management technology. We need to start calling a horse a horse and a mule a mule!

mcurphey:

I think you are spot on. Its also somewhat concering when the big security vendors are now all touting risk management products. My big vendors I include IBM, McAfee, Symantec etc. A vulnerbaility scanner is not a risk management technology. We need to start calling a horse a horse and a mule a mule!

The term "Risk Management" has been abused  by vendors who took vulnerability assessment tools and added workflow into them.  Eventually they will get tired.  In the mean time, mankind has been practicing risk management since the day we figured out that "Fire Burn!"