I've always been interested in security strategy and decision making. Although I worked with the committee representing Brazil in the ISO/IEC groups responsible for the 27000 standards family, I've always been sceptical about risk assessment basement models. I've worked in several risk assessment projects, initiatives and processes, and I found it always end up being just a disguise for guesstimates, personal opinion, or just backwards numbers justification ("The risk is high, now let's find out the variables values that justify it"). On the other side, the proposed alternatives always looked like a good fit only for specific situations or contexts, never being able to completely replace the risk assessment based methodologies.
One of these days I was reading "The Grand Design", from Stephen Hawking and Leonard Mlodinow. Hawking goes through the recent advances in theoretical physics and the quest for a Great Unified Theory of everything, a theory that would be able to put together Einstein's relativity and quantum mechanics. He ends up saying that we may never find something like that, but the current set of theories we have would work exactly like that, each one being used for its specific context. Isn't that cheating, you might ask?
No, if we think that those theories are nothing more than models trying to represent reality. As the flat maps we use everyday, even knowing the Earth is round, models can be useful even if they are not 100% accurate. They only need to be as accurate as our needs. We don't even know if it's possible to build the ultimate perfect model (we could be in a position in the universe that would not allow us to identify the missing stuff, like additional dimensions), but only approximations. That's a very valid argument for me, and I immediately thought it has its parallels in information security too.
So, does it mean we won't find the perfect model for information security? Yes, it may be. I believe we will never be able to build a complete (and useful) model of information security, but we can build a set of models that can be used in specific contexts to drive our efforts in a more effective way. Risk assessments might not be useful in some contexts, but they are certainly more useful where good data is available for the variable values on the Risk equation. Threat modeling, compliance/baseline based security, everything can be used together as a set of models that helps us improve security, with empirical data and metrics to measure verifiable results.
And what's the perfect mix of models, where should we use each of those tools? I don't know, but accepting that we might have to use all (or many) of them to get what we want seems to be an important step in the right direction.
And let the RSA discussions begin!