QOTD - Baker on Risk Models

Wade Baker, of Verizon Risk Intelligence, replying to a post on the Security Metrics mailing list about whether risk models are useful for non-tangible assets (human life or infosec assets that can't easily be quantified):
Having an impact that is extremely high (ie, human life) doesn’t invalidate the use of a risk model. If the probable impact is so high as to be intolerable, that simply means that risk level is intolerable regardless of threat frequency (which means keep spending money). Of course, the question is whether the impact of something (even human life) is truly intolerably high. The government enters wars knowing that life will be lost. I drive my family around in a car knowing there’s a chance of a fatal accident.

As to [whether] the financial models don’t work because governments don’t have profit – governments spend the money of the people. I’d be quite happy if the government spent my money as though they had to be mindful of operating in the black.
Reprinted with permission of the author.

No comments: