The Purpose and Value of Threat-Risk Assessment in the Corporate Environment
October 27, 2006 (adapted from May 6, 2006)
The process and work of Risk Assessment (RA) and/or Threat-Risk Assessment (TRA) is most helpful in helping people understand the threats and risks involved. I favour gap assessment, but sometimes a business process owner will challenge you to explain the risks:
- why does that policy apply in this case?
- why should we spend $75k on that change to meet the baseline [or to exceed it]?
- why shouldn't we wait 1 year until they release a new version with additional features?).
Or the business process owner may disagree with a recommendation or policy, and choose to sign off on the exception. In that case it is important to ensure that the threats and risks at hand were communicated clearly.
It is not the result from a TRA that matters, but the process of educating the decision makers, designers and implementors.
Information security is an art, not a science, as Donn Parker would say, because there isn't sufficient data to practice it as a science. So, we are in the position of educating and appealing as much as possible to industry standards and other seemingly objective measures. RA and TRA are just tools in the arsenal. How you use them, and/or other tools, and to what extent, is up to the practitioner... (and sometimes a client has to go through the process that they have requested, to understand its limitations, while still deriving value...).
I agree that it can also be used for prioritization as well, when done at a high-level. Or one may prioritize, intuitively. You may be accused of playing politics, and subjectively favouring your own agenda, in which case RA may help. But realistically, I agree with what Bruce Schneier says, to paraphrase--security trade-offs and decisions depend on power and agenda--and that power usually isn't in the Information Security department.