By Wade Baker

“Attacks vary, therefore risk management doesn’t work.” To be fair, that’s not a direct quote from a recent Dark Reading article entitled “Why Risk Management Doesn’t Work”, but it is an accurate expression of its message. Like us (and Alex Hutton of RMI), you may be thinking that something about that message doesn’t seem quite right. Congratulations – you’re a logician.

Non sequitur is a Latin phrase meaning “it does not follow.” It applies to an argument where the conclusion does not logically follow from the premise. Need a good example? Check out the Dark Reading article which discusses our 2008 Data Breach Investigations Supplemental Report. Actually, the article itself isn’t bad; it does a fine job covering some of the findings from our report. My main objection is with the logical conclusion implied in the title which, oddly, doesn’t seem to square with what the article spends most of its time discussing.

The Supplemental Report highlights how the sources, causes, vectors, consequences, etc of breaches differ - often substantially - among industries. What do those differences mean for risk management strategies? I suppose that depends on who you ask. The Dark Reading article seems to imply that such variations invalidate the practice. We argue to the contrary – these findings establish the need for risk management. The logical reformulation of the message above is:

Premise: Attacks vary.
Conclusion: A security program that fails to account for variation doesn’t work.

Risk management is a process that (should) help organizations decide which controls should comprise their security program. Doing it correctly tailors the program to account for each organization’s risk profile and appetite. If it’s not working, it probably has more to do with how the process is conducted rather than the process itself. As advisors to our organizations in matters of security, let’s make sure our conclusions are grounded and our logic doesn’t take leaps.

Tags: Data Breach Report, Information Security, risk, security

This entry was posted on Thursday, October 16th, 2008 at 2:39 pm and is filed under Analysis. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.