In my mind, this is an endorsement of the Donn Parker approach to risk management which is to not manage risk. It is like suggesting that a fundamental truth about the universe can simply be ignored.Even advertising can’t get away without some sort of measurements of its effectiveness. If marketing came to the CEO and said “I want to spend X more for this program” and had no metrics to back up what sales, profit, good will, or something that that program had generated last year, nor any prediction for what it might generate this coming year, probably no more money would be forthcoming. Yet IT security operates like that.There is one glaring problem with this line of reasoning – it is impossible to ignore loss expectancy and asset valuation in risk management.
This is as fundamental a problem as we have in information security today.
— On Value and Loss, by Pete Lindstrom, Spire Security Viewpoint, 18 April 2007
Pete continues:
The truth is: whether you like it or not, every decision made in your life is based on value judgement. Philosophers wax profoundly about this; economists work to measure it. In information security and risk management, you can be either a philosopher focused on some intangible value associated with the inner peace of managed risk or you can be an economist working to understand the IT environment so it can be properly characterized and assigned some level of scale. In either case, you are acting within the realm of value and tradeoffs.Well, you need both, or you end up going to China without considering the blowback that might be associated with turning over personal information to the government there. But IT security generally doesn’t have the economic part worked out.
With quantification of value and probable loss we’d have better risk management.
-jsq