SecurityCurve Weblog

Risk Management: You're Killing Me

So, I hadn't cracked open Google Reader in a while, and I found out that there's been some very large talk behind my sleeping back. For one, I had missed a conversation between Alex over at RiskAnalysis.is and Chris over at How is that Assurance Evidence?. All in all, a really good discussion.

Now, I won't get into the specific points of this discussion, other than to encourage folks to read the original discussion (Chris) and then to read Alex's replies. However, Chris hits on a really good point that really got me thinking, and I do think points to a flaw in the way that a lot of us are doing risk management. Namely, when we break a system down into it's various components, we often don't take into account the impact that a given component has on the overall system.

It's easiest to illustrate this by example. Take a car - if I'm analyzing the risks associated with the headlights, I might have a bunch of assumptions about them. I might have certain assumptions about the impact of a failure in that system - I might say, "well, they're not required to make the car move, they're only needed for night driving, etc." But if they fail, and it's night, the whole system (the car) is non-functional. In short, the whole system is impacted because of a failure of a given part. Now, you might say, "but our risk models are supposed to account for that." But the truth is that in practice they don't. Most of the time, the folks who are creating the models don't have all the data about what the system is used for. They might conclude that because the car won't stop, that the risk level of the headlights is small. They might not know anything about night driving vs. day driving and that you won't be able to drive at night without the lights.

Anyway, I'm going to need to mull this over a bit more, but thanks to Alex and Chris for a very interesting discussion.