Cool as McCumber: Risk- A Four Letter Word with Three Levers

Aug. 24, 2012
Effective risk management should go beyond simple vulnerability

A security colleague of mine made an interesting observation via a recent tweet. He linked us to an article about a series of burglaries in his neighborhood, and artfully pointed out the article discussed this security problem from a completely threat-based perspective. The article explained in detail how the police gathered information, then pursued the thieves until they were caught and put in jail.

Nothing was written about how the local residents needed more or better locks, or how they needed to pay for expensive alarm monitoring services. The security problem was resolved by apprehending the burglars and incarcerating them.

What is threat-centric security? In order to be able to dissect that concept, it is important to review the basics of security. Security is word that defines an ideal. In that sense, it’s like the word love. Are you married? If so, do you love your spouse? How much? Do you love your dog? How do you know? Coming up with answers to these questions are difficult. Measuring the answers is impossible.

As security professionals, we get asked: Is that system secure? Can it be compromised? How difficult would it be to penetrate system defenses and exploit data assets? How do you know? Fortunately for us, the questions are slightly easier than trying to define love. We have the luxury of using the risk model.

The concept of applied security really revolves around the relative likelihood of risk realization. A risk exists when an environmental or human threat can exploit a vulnerability to compromise an asset or mission. If any one of these three factors (threat, vulnerability, asset) is eliminated from the equation, the risk ceases to exist; however, as we all know, there are always threats, a voluminous number of vulnerabilities, and there are always assets and data to protect and manage. That’s why the security profession will always be an important one.

The security practitioner can implement a variety of safeguards to mitigate and manage risk to an acceptable level. A safeguard can be employed to reduce or eliminate a threat, vulnerability or even an asset, or any interrelated combination thereof. These safeguards can be chosen from three categories: technology, policy and procedures, or human factors. It’s a great way to picture the issues at hand.

If you look at a large-scale security program like our feckless Transportation Security Administration, you see a multi-billion dollar organization illogically weighted toward vulnerability-centric solutions. If you travel overseas, you will notice that in countries such as Israel, transportation security is focused on identifying and neutralizing terrorists — the human threat.

In America, we spend an apparently unlimited amount of tax money searching luggage and passengers for knitting needles, cigar lighters, scissors, water bottles, and pen knives, while irradiating travelers to expose what’s under their clothes. Their shoes are singled out for special radiation treatment.

While I was waiting in the security line at one U.S. airport, a TSA agent stated loudly to the patient throng standing in line to be scanned, “You have Richard Reid to thank for taking off your shoes.” I replied to him in a loud voice, “Yes, and more recently there was an underwear bomber that tried to blow up a plane. Why do you still focus on my shoes and not my underwear, too?” He turned and slinked away as a large contingent of weary travelers tittered and guffawed.

There will always be a nearly limitless supply of potential vulnerabilities — whether we are considering airline travel or computer systems. As one gets knocked off the list, three more are added. To manage an effective security program of any stripe, you have to seek out the proper mix of risk mitigation strategies to include threats and assets in addition to the standard vulnerability model.

We rely heavily on vulnerability-centric security for a variety of reasons, but the two key influencers are the legal and cultural concerns with threat identification/management and the assumption that assets are always fixed or growing. These two concerns can often be overcome by comprehensive planning and sound risk management implementation.

What does that mean to you?

Remember that in effective risk management, you have three big levers to pull to mitigate and manage your organization’s security: threats, vulnerabilities and assets. In order to be effective, you need to consider carefully all three, and ensure you’re leveraging all three as part of the solution. Next time you read of a security incident, consider if it was centered around a threat, a vulnerability or an asset. Learn to spot the differences, and recognize when your safeguards are out of balance. 

John McCumber is a security and risk professional, and author of “Assessing and Managing Security Risk in IT Systems: A Structured Methodology,” from Auerbach Publications. E-mail him at [email protected].