At times, there are topics in information security discussions that get a lot of attention, fall out of interest, only to be resurrected again and reemerge as a hot topic. I call these “Information Security Zombie Memes”; they are the walking dead of discussion and rhetoric that we can’t seem to destroy. Return on investment, security and obscurity, full/partial/responsible disclosure, how to measure security, and such topics are good examples of those subjects that boomerang back around into our collective consciousness again and again. One that has been in my mind lately as I think about the convergence of risk management and management science, is the “security, art or science” meme.

And while I was thinking and talking to people about the concept, it occurred to me that there might be a basic path from art to science that we could talk about. Now it’s not every day that you get to study how a “science” evolves, so you’ll forgive me if this seems pretty back-of-the-napkin, but I think the flow of evolution might go something like this:

1. Do Certain Things (develop Best Practices)
2. Make Laws about Doing Those Certain Things (compliance)
3. Follow Those Laws Consistently (maturity models)
4. Measure Things (metrics development)
5. Think About How Things Work (Logic-Based or Deductive Model development)
6. Test Theory About How Things Work With Observation and Other Thoughts (model selection via inductive and deductive reasoning & testing: wash, rinse, repeat)
7. Revise Theory and Go Back to 5 or 6 depending on the results.

Note that I’m not suggesting that the progression is evenly distributed. Some aspects of security are still very mystical, others are very much in the model development stages. There are some of our peers who fly completely by the seat of their pants, there are others who try very much to apply scientific method to their practice.

I’m also not trying to put forth the “can/should risk management be a so-called soft or hard science” argument in this post, but it occurred to me that using this sort of “body of knowledge maturity model” might help you and I identify areas of our profession where we might look to fill evidence/information gaps in order to try to more uniformly advance to stage seven.

In some follow on posts this week, I’d like to talk about each stage there, and what you and I might see now in the industry and a few guesses/forward-looking statements about what might be done to further our progress over the next few years.

Tags: risk management, security management

This entry was posted on Monday, June 1st, 2009 at 2:16 pm and is filed under Analysis. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.