Risk? What Risk?
Mostly we develop military grade systems. So the security requirements are pretty high. However, sometimes I feel like we overkill the design, and maybe sometimes my colleagues try to impose a decision in order to be on the ‘safe’ side but at the end all we get is an unusable system.
Yesterday I was in a meeting with my fellow colleagues regarding the security risks on one of our ‘developing’ systems. Two colleagues started to argue with each other regarding a so called ‘high impact’ security risk and the mitigation strategies in the system. A third guy entered the conversation, a fourth, a fifth and after 15 minutes I was in the conversation suggesting a solution to the problem at hand, and trying to reject the ideas of colleagues.
For another 15 minutes this went on like that. After a while I sat back on my chair, and tried to make sense of it all. It did not add up. Something was wrong. Then I realized although the impact of the problem was high enough to consider, the likelihood of the incidence, attacker motivation versus attack cost factors were very very slim.
At the end, it turned out to be a low risk problem, and we just lost one precious hour in a meeting room arguing pointlessly only to find out there is nothing to argue on.
Sometimes it is better to sit back, and try to understand the problem before reaching to conclusions.