In a previous blog post, Information Security Maturity, I mentioned that organizations with mature information security management programs have policies that govern the enterprise, systems, and issues. In implementation of policies, it is common to attempt to quantify risks to support priorities of actions and costs, such as remediation or replacement efforts, as organizations need to manage their level of risk and exposure.
Rafal Los (AKA Wh1t3Rabbit) recently blogged about the problems with risk quantification, particularly the use of likelihood of exploitation and cost of exploit, in risk calculations. On the surface, it makes sense to estimate the probability of a problem being exploited and the ensuing cost of exploitation. However, as Rafal points out, attackers are not static entities. A determined attacker with significant resources and skills may be able to take a low-probability exploit and leverage it into something useful. Additionally, a minor issue could be one element exploited by an attacker as a stepping-stone in a more significant attack.
In a Twitter conversation started by Jeremiah Grossman, Pete Lindstrom argues for building a matrix with volume of activity, size of attack surface, budget, cost of fix, ease of exploit, and cost of exploit rather than simply plugging information into a formula and getting a single, static number that pretends to quantify an issue's risk.
My concern is that, even with a matrix-guided approach instead of an simplistic quantifier, an organization still needs to continually re-evaluate the risk matrix with respect to real-world exploit activity taken into account. For example, a low-priority, low-risk issue should be revisited when it becomes apparent that it could be somehow involved in major attacks.
In summary, it seems organizations require information security domain knowledge, regular contact with information security professionals in their industry, and up-to-date situational awareness to effectively maintain their security posture. What thoughts do you have about how to prioritize and manage risk in a dynamic threat environment?