Risk mitigation: a myth of infinite cost and finite risk

You are all familiar with a typical presentation on risk management where we see the same old graph that depicts the risk as finite on one side and the costs of mitigation as infinite on the other side and attempts to show us a balance between the two where the costs are minimal. Well, the idea is correct but guess what? The graph is wrong. The graph is wrong and it gives you a wrong idea of cost distribution which in turn causes you to bias towards more risk. That graph actually makes you and your business less risk-averse. How?

A “traditional” risk cost versus mitigation cost trade off graph.

You see, the idea that the risk is finite while the risk mitigation cost is infinite is a myth.

Risk mitigation cost is only infinite when your resources are lower than those required for mitigation. So, yes, this is possible but unlikely. There are limits to our technology and there are limits to the investment effectiveness but there is a limit to the numbers of risks and mitigation techniques that a business can apply. So the risk mitigation costs may be very high and you may be unwilling to pay …
Read the full article ->

Mitigating risks … is a waste of money?

There was an interesting talk at one of the panels at the RSA Conference, where SilverSky and Adobe claimed that investing in security is a waste of money. Their message is simple and compelling:

“For most companies it’s going to be far cheaper and serve their customers a lot better if they don’t do anything [about security bugs] until something happens. You’re better off waiting for the market to pressure on you to do it.”

Although they say that this was all in pretense, we all know it was not, companies large and small try to avoid fixing problems as long as they can, waiting for customers to complain loud before ever doing anything. Basically, this is a risk that companies rate as unimportant because of its low perceived rate of occurrence.

The problem with this kind of risks that they cannot be properly rated. The probability of these risks is hard to rate because the data is basically unavailable. And the impact of the risk is underrated because of low perceived probability. People tend to ignore such risks.

But the companies, can they also afford to ignore such risks? What has to be considered is that a …
Read the full article ->

State of security – still miserable

Even after all these years the software industry seems to be ever in a state where we believe that if vulnerability exists but is unknown to the public it cannot be exploited, so our software is “practically secure.” In theory this is true, but the problem is that once someone finds the vulnerability, the finder may just exploit the vulnerability instead of reporting it or helping to fix it. Having “hidden” vulnerabilities doesn’t really make the vulnerabilities go away; it simply means that the vulnerabilities are a time bomb, with no way to know when they will be exploited.

Security is a fascinating subject even for uninitiated not to mention Bruce (who makes money with it no slower than the US Treasury printing presses) that may be looked at from different perspectives and talked about in several management dialects, including McKenzie (I do not speak it but I can understand it in a round-about sort of ways). Talking about security often gives you a cozy feeling. And all those diagrams, tables and, oh my, vectors and mitigations, they are so neat and kosher… until someone starts asking hard questions. Pray this someone is not your customer.

Talking about security does …
Read the full article ->