Why risk management doesn't always work
I really believe that information security is about the business and we need to bring the business together, specially when doing risk management. But doing risk management together with the business is not always pretty and easy. There are two factors that can make it a real nightmare: The "pointy-haired boss factor" and the Threat Level business point of view.The pointy-haired boss factor is easy to understand if you read Dilbert and you feel that those characters are really based on real people. Remember that sometimes people that we call "the business" are people like the pointy-haired boss, not only on their intelligence level but also on their way to find "smart solutions". I can remember a dozen situations where a security issue was exposed to a business person and this person decided to "solve" the problem in a weird way, usually bringing more problems than solutions.Besides dealing with stupid people (don't you feel they are everywhere?), there is another problem that often appears when we are doing risk management with the business: the Exposure Factor. As we know, Risk can be translated into Probability of Occurrence x Impact. The probability of occurrence can be seen as the result of two factors, Threat and Vulnerability. Information security professionals usually provide these factors during a risk assessment, but the business usually want to put their opinions about the Threat Level. This that famous "nobody will try to do that" line. Even with all our knowledge about what's happening around the world, they still don't believe in the information we provide. So they will mess with the calculations in a way the numbers will be more like their beliefs. The risk based decisions are compromised.Risk management can't be done without the business. However, when doing that, beware of PHBs and TLBPOVs. They can ruin everything.