Cyber Security Trends (III): Impacts better than Risks

Security decisions will be based in impact instead of risk 

Risk management has been in the foundations of security from the very beginning. Best practices, like those brought together by ISO/IEC 27001 standard, includes risk management as the pilar for the information security management. And this is only an example, most of standards, and even regulations or legislations, give a key role to risk managment (PCI-DSS, EU Directive about critical infrastructure protection, etc.)

And, for sure, it has been true for the most of the time, but it is no longer the “best practice”.

Base our cyber security decisions exclusively in risks analysis could have negative consequences:

• First of all, risk analysis is a predictive technique, and we are not able, even we do not have tools to predict the future. Perhaps, there was a time when reality was simple enough to allow us to predict the future, but nowadays systems and attacks are so complex that it is completely impossible (for further discussion about the difference of simple and complex systems take a look to Dave Snowden’s model, Cynefin).
• And, secondly, today scenarios are so changing that past events do not help to understands, even to predict future events. Furthermore, we have to consider black swans, which, by definition, are umpredictable (the concept introduced by Nassim N. Taleb).
• Finally, risk management has another negative consequence in daily operations: Organization has a false sense of security because of having undergone a risk analysis, and if people is not aware about it, early signs of incidents can go undetected because a lack of alertness needed.

But, if organizations cannot rely on risk management, how it should be done? In fact, organizations should continue relying on risk management, but not exclusively. Risk management should be used for simple, even complicated scenarios but it should be complemented with impact analysis in complex situations where probability should not be applied, i.e. cyber security decisions should be based in a mix of risk and impact analysis.

In fact, impact driven cyber security decisions are the ones that best fit critical infrastructures protection, where the most important aspect is to avoid high impact events on population and being the most resilient possible. This is exactly what Gloucester (photo) people is doing after floods of 2007; they forgot about try to avoid, even predict future floods. They have installed an early warning system that alerts them a couple of hours before the water achieves the city and they have adapted their houses to live with floods (stone walls to better drain, hooks in the oak beams of the ground floor rooms to raise their furniture, electrical supply on the top on the house dropping cable down to sockets above flood height…).

In summary, if you feel that you cannot predict what will happen, and you know that you do not know all the elements, neither their relationships (i.e., you are in a complex world), it is better to base your cyber security decisions in impacts than in risks; at least, you will pay more attention to what is happening in your systems and you will detect earlier weak signals of incidents.