The realities of risk

Stop thinking good security means trying to plug every hole, says Wayne Rash. If you realistically assess each risk, you can get some restful sleep--knowing some vulnerabilities still lie naked to the world.

As I started writing this, one of those ubiquitous bubbles that appear within Windows XP let me know that there were updates available for download. But rather than rush to download, I decided to wait until the wee hours when the network would be clear and the servers would be quiet. I'll take care of it then, I thought.

Or maybe I won't. Much depends on what the latest upgrade proposes to fix. Perhaps I'll let it just sit there until I have more free time, which should come soon enough. Why the lack of concern? The short answer is that I'm really not exposed to a lot of the risk that most Windows updates are addressing these days. The reason? Three levels of firewalls and a non-Windows network keep away almost all of the threats out there, regardless of the fact that my work PC runs Windows.

In other words, I'm considering the overall risk to my network, something far too few managers do. Instead, the approach in most shops is to react to every threat, no matter how remote, and to protect against every vulnerability, no matter how minor. While such an approach may be fine if you work for a company with unlimited resources and lots of extra staff, most of us don't. We have to pick our projects carefully, and give others lower priority.

Unfortunately, it's not always obvious, at least initially, which risks are serious. That's part of the reason why, when faced with vulnerabilities, managers simply try to fix them all. Too bad that doesn't actually work very well.

What's needed is a broader view of security that helps you figure out your actual risks, so your security budget is more effective. One person who takes such a broader view is Dr. Peter Tippett, CTO of TruSecure in Herndon, Virginia. According to Tippett, focusing on vulnerabilities solves only a portion of security problems. You also need to determine the likelihood of a threat actually affecting you, as well as the likelihood that a vulnerability will be exploited, and how much it would cost to fix it.

A good example is the demand for encrypting credit card numbers sent over the Internet. The fact is, it's almost impossible to extract a credit card number from all of the traffic on the Internet, even if it's passed in the clear. It's so difficult that there's never been a documented case of it happening. The credit card thefts involving the Internet have all turned out to be everyday fraud: due to inside jobs or the stupidity of merchants in protecting the data.

So why do we spend so much money plugging holes that don't exist or are unlikely to cause problems? Partly it's due to fear--we don't know for sure how big the risk is, and we don't want to take the chance of finding out first-hand. But it's also because risk assessment is difficult. It requires a lot of knowledge. For some companies it may require training staff or hiring a qualified consultant.

But once you find out what your risks really are, and quantify the cost of fixing what really needs fixing, you also can give the finance staff some real ROI numbers, which means you might get the money to make your enterprise safe.

This is my final column here on ZDNet's Tech Update. Over the last fourteen months I've heard from many of you, I've learned a lot from you, and I hope I've given you things to think about from time to time. I'll miss you and I'll miss writing this column every week, but new opportunities call. Thanks for reading.

Does your company conduct security risk assessments? TalkBack below or e-mail us with your thoughts.