Entertaining risk analysis

The long view of security strategies for your network.

Peter de Jager has a long history of contributing to the management of information technology. I first ran into him in the early 1990s, when he was one of the first professionals to warn, calmly, that much of the software we were running then was still using two-digit years to represent dates in the 20th century. After the end of 1999, those two digit dates would be 100 years out of synch. This difficulty became known as the Y2K problem. Because of the enormous efforts of people like Peter de Jager and the programmers and their managers who paid attention to the issue and fixed the programs, we all survived the turn of the millennium quite well. And let me say now that I have nothing but scorn for the naysayers who claim that there never was a problem because there was no problem. That's like denying that replacing broken nuts on a car wheel has nothing to do with preventing the wheel from falling off at highway speed.

But today, I want to draw readers' attention to an excellent 50-minute lecture available online by Peter de Jager about risk management. "A Ramble through Gambles: A Look at Risk Management" was delivered live on Sept., 30 2010 and the recording is now available for anyone to download free as 38MB WMV or W4V files with sound and images from his Webinar Central directory. The podcasts are even available free through iTunes.

The Webinar abstract includes this brief description:

To continue reading, register here and become an Insider. You'll get free access to premium content from CIO, Computerworld, CSO, InfoWorld, and Network World. See more Insider content or sign in.

Peter de Jager has a long history of contributing to the management of information technology. I first ran into him in the early 1990s, when he was one of the first professionals to warn, calmly, that much of the software we were running then was still using two-digit years to represent dates in the 20th century. After the end of 1999, those two digit dates would be 100 years out of synch. This difficulty became known as the Y2K problem. Because of the enormous efforts of people like Peter de Jager and the programmers and their managers who paid attention to the issue and fixed the programs, we all survived the turn of the millennium quite well. And let me say now that I have nothing but scorn for the naysayers who claim that there never was a problem because there was no problem. That's like denying that replacing broken nuts on a car wheel has nothing to do with preventing the wheel from falling off at highway speed.

But today, I want to draw readers' attention to an excellent 50-minute lecture available online by Peter de Jager about risk management. "A Ramble through Gambles: A Look at Risk Management" was delivered live on Sept., 30 2010 and the recording is now available for anyone to download free as 38MB WMV or W4V files with sound and images from his Webinar Central directory. The podcasts are even available free through iTunes.

The Webinar abstract includes this brief description:

Risk management is, in a word, complicated. Hmmm... not strong enough – make that two words, it's extremely complicated.

It's complicated because it deals with at least three totally different forms of ignorance. We also need to take the psychology of risk perception into account, something that differs wildly from one person to the next. On top of this mess, we can throw on the social culture surrounding risk. The result? A topic convoluted enough for a lifetime's worth of study.

For all the above reasons and ones I haven't mentioned yet, there is no consistent measure of what is a 'good' risk vs. what is a 'bad' risk. A risk I am more than willing to make, might be something that you'd never take. More frustrating? The risks I assume in a specific endeavor are not the same risks you assume when you attempt the exact same action!

The lecture starts with a clear example of applying expected value theory to optimal allocation of resources by providing a simple example with simple probabilities. He shows that if we know something about the threats we face and we have an expectation of reducing those threats, we can start by reducing the largest threat and then iterate by locating whichever threat is the current largest for the next round of reduction.

Next, in "Getting out of the Pit," he points out that often we lack exact awareness of the risks involved in a particular process and suggests three frameworks for brainstorming about risks. He starts with analysis of strengths, weaknesses, opportunities and threats (SWOT); political, economic, social, technical, legal and environmental (PESTLE) analysis; and business, political, economic, social, and technological (BPEST) issues.

M. E. Kabay, PhD, CISSP-ISSMP, specializes in security and operations management consulting services and teaching. He is Chief Technical Officer of Adaptive Cyber Security Instruments, Inc. and Associate Professor of Information Assurance in the School of Business and Management at Norwich University. Visit his Web site for white papers and course materials.