I was told today that the U.S. Government no longer supports the use of risk analysis in the IT environment. Now it's risk assessment and risk management. Good for them! If Uncle Sam is tossing out IT risk analysis on the basis that it has no credibility, I'm on the team. But if this is just weasel words and"assessment" means "asset-based analysis," shame on them.
The notion of analyzing IT risks based upon bogus input data simply does not fly. Gathering asset-based data in an environment where one cannot even identify all of the information assets consistently doesn't exactly lend credibility to a mathematical analysis using that data. Adding insult to injury by expecting opinions of interested parties regarding the loss expectancy from a compromised asset is equally unsatisfactory. The reasons we've been doing this for years are, actually, pretty clear. First, it's all we had back in the early days. Second, "we've always done it that way," and third, managers demand numbers. So we cobble something together, the suits smile sweetly, the auditors tick their boxes, and everyone is happy, including the bad guys. Today, I saw the light at the end of the tunnel.
We should follow, at least in part, the government's lead. Of course, looking at NIST's Special Publication 800-30, one gets the distinct impression that risk assessment and risk analysis are one and the same, but no matter. One also does not see any references to the wonders of asset-based analysis. For that, if for nothing else, the document gets an A+ in my book.
The NIST approach is based upon integration of risk analysis into the software development lifecycle process. That is important as it emphasizes the need to consider risks at all stages of software development. It is a clear and loud acknowledgement that one is far better off, functionally and economically, if one implements security controls early in the game.
The NIST approach also takes into account the management of risk, another giant step forward. If for no other reason than that this special publication points out the crying need for alternatives to the same old risk management and analysis techniques, it deserves your consideration. It's time to explore new and more reliable techniques. The NIST approach certainly is one of those and worthy of your perusal.
Peter Stephenson is director of information assurance for CeRNS, The Center for Regional and National Security, at Eastern Michigan University