funsec mailing list archives

Re: More bad news for risk management

From: Stephanie Daugherty <sdaugherty () gmail com>
Date: Sun, 19 Aug 2012 12:25:22 -0400

Reading comprehension fail.  Tomas's point is that yes, often there *is* an
engineering solution.  But if you invest $250K in an engineering solution
for a
problem that only risks $100K loss, you're being stupid.  At that point,
just
making a note that you have a potential $100K liability and getting on with
your life *is* the proper way to manage that risk.

(Of course, if the engineering solution only costs $10K, then yes it
should be
pursued.  But only when it costs less than just ignoring the risk).

This is still oversimplification though. The remaining factor is what
the likelihood of that risk actually happening is. A $10K solution to a
$200K problem that will "probably never happen" is still often seen as
money being thrown away.

Even If a serious risk analysis and quantification actually takes place (1
in 10000 chance per year over 20 year service lifetime, blah blah blah) ,
it may still be seen as not worth fixing. Nevermind the fact that the risks
evolve through legislation, an a 1 in 10000 security event before
everything was connected to the internet is now closer to a 1 in 100 or
even 1 in 10.

IMHO, Some of the most effective cyber-security regulation efforts
basically fix this through little more than amplifying the cost of failure
to where it can't be ignored - case in point, HIPPA and PCI. Both are
designed to potentially be open ended money pits for companies that get
breached - hopefully restoring fear of risk to where it needs to be, while
trying to spell out a set of good practices that if followed, might let
companies off the hook for the sort of failures they can't reasonably
defend against.

These aren't perfect rules, but they are a good general direction as far as
making companies take risks seriously.

_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.

Current thread:

More bad news for risk management Rob, grandpa of Ryan, Trevor, Devon & Hannah (Aug 14)
- Re: More bad news for risk management Tomas L. Byrnes (Aug 16)
  - Re: More bad news for risk management Jeffrey Walton (Aug 18)
    - Re: More bad news for risk management valdis . kletnieks (Aug 19)
    - Re: More bad news for risk management Stephanie Daugherty (Aug 19)
    - Re: More bad news for risk management Jeffrey Walton (Aug 19)
    - Re: More bad news for risk management Jeffrey Walton (Aug 19)
    - Re: More bad news for risk management Tomas L. Byrnes (Aug 19)