Risk analysis is not the favorite activity of most IT security pros, and it's certainly not mine. Aside from being a rather dry subject, it carries an air of artificiality far removed from buffer overflows, open ports, and unpatched systems.
So-called experts on information security risk analysis have put forth several quantitative methodologies for identifying assets that need protection, evaluating threats to those assets, and estimating losses that might result from those threats. However, it's not uncommon to be off by an order of magnitude high or low when estimating the cost of losses associated with an incident, making all those formulas and methods impractical for in-the-trenches IT security pros. But what should we be doing instead?
Making Choices
Despite the inaccuracies of painstakingly developed methods of evaluating risk, fundamental, commonsense principles of risk analysis have value for everyone working in information security, particularly when it comes to making decisions about what you spend time and money on. The first thing to recognize is that resources have limits. It's an illusion to think that you can prevent every possible risk. Trying to do so would be a disservice to you and your organization. . . .
Register
