[ISN] Bad Decisions Made Faster: How Qualitative Security Risk Assessments Are Making Things Worse

https://blogs.rsa.com/bad-decisions-made-faster-qualitative-security-risk-assessments-making-things-worse/?utm_source=rss&utm_medium=rss&utm_campaign=bad-decisions-made-faster-qualitative-security-risk-assessments-making-things-worse By Derek Brink blogs.rsa.com March 19, 2014 Once there was a leadership team that was exceedingly fond of using risk assessments to make business decisions about information security. The team cared little for detailed discussions about threats, vulnerabilities, technical exploits, or a host of potential security controls. They wanted their subject matter experts on information security to explain clearly how their recommended investments in security controls would actually reduce the company’s risk, and they ultimately wanted to make decisions based on the amount of risk the company was willing to accept. Many security professionals, as well as many security vendors, tried but failed to communicate in this way and fell back into their old bad habits, frustrating everyone. But one day some pretenders came along, who let it be known that that they could conduct qualitative (and even “semi-quantitative”) security risk assessments that could be easily understood by the leadership team. Their security risk assessments were presented using bright colors, and had the property of being understood by virtually everyone. The pretenders were supported by a third-party advisor and highly trusted by the leadership team, who vouched publicly for their approach. Does any of this fractured fairy tale sound familiar? It’s based, of course, on Hans Christian Andersen’s classic story, The Emperor’s New Clothes. You can write the end of the story yourself. In spite of their misgivings, everyone goes along with the charade