Quantifying risk (and why we are so bad at it)

By Peter Bassill

Part of the problem is our understanding of what risk is and how it can affect the day-to-day operation of a company, especially in a new and evolving area of risk. Our perceptions are warped by lack of knowledge, competing priorities and cost considerations. Organisations invest in CCTV, security guards and complicated access systems for their physical assets, but they rarely give the same level of attention to their collected data.

An SME can quite easily recover after a warehouse break in where computers, stock or even vehicles have been taken. However, if a company’s data has been compromised and client details have been lost, operations may continue but organisation’s reputation could be so badly damaged that the business dies. When they are victims of cybercrime, businesses lose more than revenue, they lose credibility.

It is in our nature to over-react to intentional actions, actions that offend our morals and immediate threats, and under-react to accidents, abstract events or long-term threats. This is a fundamental idea developed by security specialist Bruce Schneier. We also exaggerate spectacular but rare risks, yet struggle to estimate risks in unusual circumstances; for instance, individuals tend to worry more about anthrax than about the common flu, although the latter one kills thousands more people each year.

Thus, data breaches, where no directly threatening event takes place, no one is hurt and there are no missing physical assets, may seem so much less dangerous, less likely. These cyber frauds also have the appearance of impersonal events, unusual in the way they occur and unspectacular in most cases – no loud alarms, broken windows or missing items. Is it any wonder that company CEOs find data security low on their list of priorities?

It has been said that with risk assessment, we can only gauge the risks we know about, and we can’t estimate the unknown. But we have to try, so asking for specialist help may seem like an unnecessary cost for many businesses, but the vulnerabilities are often concealed and hard to evaluate. Thus, an outside objective assessment will help shed more light.

But perhaps the most important thing is to acknowledge that no organisation is inherently safe thanks to its size, location or industry sector. Once this idea reaches home, provisions for improvement of security procedures can become truly effective.

About the author

Peter Bassill is managing director and CEO of Hedgehog Security, an information security and penetration testing specialist. Peter’s expertise extends from risk management and security to business development. A trusted adviser to a number of UK organisations including Microsoft, Peter is also a frequent keynote speaker at international information security events such as RSA and Infosec Europe. Peter sits on the ISACA Cyber Security Board and is one of Microsoft’s trusted advisors for cyber security.

About Hedgehog Security

With over 100 years’ worth of accumulated information security consulting, gained across a variety of sectors, Hedgehog Security helps businesses to secure people, processes and technology in a continually evolving digital world. The company offers creative information security consulting solutions across the security sphere that can be applied to any business, enabling customers to save vital capital, increase their profit and avoid unnecessary regulatory, compliance and legal issues. The company specialises in penetration testing, virtual Chief Information Security Officer (CISO) and My Information Security Officer (MISO).






Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s