Here's something to wrap your head around (or more literally, put in your head) as you head to NIST on April 3rd to make your contribution to the Critical Infrastructure Cybersecurity framework development processes, an effort begat by the recent Presidential Executive Order.
Many in our community love to talk about risk management as the common sense, business oriented antidote to the mandatory and therefore inflexible and slow moving instructions in the NERC CIPs.
You could certainly put me at least half in that camp. Well, after reading THIS sharp Brookings paper from Ralph Langer and Perry Pederson, that half of me is feeling a little wobbly.
Want to see if you can handle it? Let's see you go for a round with them. They begin with a jab -- the DHS definition itself:
The following is a definition of risk-based decision making from appendix C of the Department of Homeland Security’s risk Lexicon: “risk-based decision making is defined as the determination of a course of action predicated primarily on the assessment of risk and the expected impact of that course of action on that risk.”And then counter with a flurry of lefts to some assumptions, a series of rights to some more, and finish with a big left to the whole foundation upon which cyber risk management normally rests:
The basic assumption embedded in this and all risk formulae is that unknown future events of an unknown frequency, unknown duration, unknown intensity, from an unknown assailant, with unknown motivations, and unknown consequences are quantifiable. Consequently, if one thinks s/he can measure the risk, the mistaken conclusion is that one can manage the risk.I'm trying to not be overly swayed by this one article, but certainly it's going to be something I try to keep in main memory while at the workshop. Hope it helps inform your thinking too.
BTW (late addition): I just realized this post ends on a bit of a down note and I don't want to leave you there. If you can make it to page 8 you'll find Pederson and Langer pivoting towards their recommended solutions to replace risk management-based decision making. You'll see these fall into 3 P's: Politics, 2) Practicality and Pervasiveness. I myself haven't made it there yet but intend to before nightfall ... tomorrow.
P.S. have you ever tried boxing? I have a little, and it's a blast, and super hard, and exhausting. But you know one thing it's easier than? That's right, you've got it.
Photo credit: Wikimedia Commons