I’m assuming the author wants us to read the title as “Things to Look Out For in Performing Risk Analysis” and not “Risk Management is Folly - Stop, Stop, Stop!” The former is fine, the latter isn’t supported by the evidence presented by the subjects of the article.
The subjects of the article are a good study from Wade Baker & Co. at Verizon, and a report from RSA’s Security for Business Innovation Council. Let’s take a look at each of these and examine why what they’re saying might contribute to poor risk management, shall we?

1.)  THE VERIZON REPORT

The Verizon report is an analysis of some 530 forensic investigations their company performed.  It is well worth your time as it’s chock full of interesting information.  As it relates to the Dark Reading piece, a coarse summary would be that “likelihood” is “different” for different people and so you can’t use the same “likelihood” across different industries.

Distilled through the lens of FAIR:

“different threat communities may be applicable based on Probability of Action factors which include: Value, Level of Effort and Risk (of Getting Caught).”

Or, even further distilled and in the words of my six year old son,

“Duh-uh”.

With regards to what I assume is the purpose of the article (What Doesn’t Work in Risk Analysis) this concept  seems just to rehash the old GIGO argument regarding risk analysis.  Great.  Can’t argue with that, nor it’s corollary QIQO (quality in, quality out).

But let me ask you -  is this really a problem common in your analysis?  Did reading this article make you go “Crap, we’ve been using data normalized across multiple industries in our analysis! They’re all wrong!”  Or have you already been accounting for the unique value proposition your company has to the specific threat community you’re worried about?  See, maybe I’m just not your average analyst, but even in my NIST/OCTAVE days, this has *never* been an issue for me.

Let me be specific, this is not a problem with Verizon’s very cool report.  It’s just that I don’t see what the big deal is.  This article is starting to feel like someone is running through the motions, trying to play the ” a crazy title gets people to read a boring article” game.

Speaking of cool reports - You know what would be cool?  I think it would be interesting to see is the quality of these companies’ “risk management process” established using good criteria,  and then correlated to the frequency and magnitude of real-world losses across the aggregate sample.  In other words, can we establish evidence that strong risk management practices not just reduce “risk” but also reduce actual incidents.

2.)  THE RSA COUNCIL “EXPLORES WHY LEGACY METHODS OF EVALUATING INFORMATION SECURITY RISK DON’T WORK IN TODAY’S CONNECTED WORLD, IN WHICH ANY NEW BUSINESS INNOVATION INHERENTLY CARRIES SOME LEVEL OF RISK TO INFORMATION.”

This report from the RSA council puts forth a seemingly obvious proposition, that risk must be balanced by reward.  Why is this news?  Now as I read the article it’s not clear if:

• The RSA Council is claiming that the CISO’s office should be the ones determining reward.  Absurd.

or

• Businesses aren’t doing a good job at determining risk and reward.

Let’s go with the latter.  So I’m pretty sure (good) businesses do a good job at estimating reward.  Businesses I’ve been a part of?  We LOVE(D) estimating reward.  We don’t tend to start projects all willy-nilly. No we tend to be careful to identify the size of the market and what it will cost to address the market.  So what could the problem be that this RSA council is trying to address?  Maybe it has to do with something like the following:

Yesterday, I got a demo of an IT-GRC application that shall remain nameless.  It seemed to be very good at the “C” bits - lots of information on regulations and expectations and even what sorts of controls would answer the regulations (which is goofy, but we’ll have to talk about that later).  It also gave you the ability to build workflow quite nicely.  But it measured NOTHING.  There really was no observable “G” and “R” was really Medium X Low X Low = High sorts of stuff.  So let’s use this relatively expensive tool as evidence of what your average CISO is armed with going into a Risk/Reward sort of meeting.  I imagine a nice board room with wood-grain paneling and glass bowls filled with little chocolate covered mints designed to give everyone involved in the meeting (CEO, CFO, CIO, CSO, VP S&M, etc…) a little sugar rush when needed and fresh breath.  The conversation goes a little something like this (apologies to Rich):

Business Guy Who Wants to Make Money Because That’s What Businesses Do: Based on market studies, we believe that initial gross revenues from the new product and technology rollout will be eleventy gazillion dollars based on a 37% market penetration in Scandinavia, alone.

CSO: Well now, we have a likelihood of “High” and a “C” impact of Medium, and an “I” impact of Low, and an “A” impact of “High” and because we are a (bank/hospital/retailer/basically any business that breathes anymore) we weight “C” by a factor of 2 - we multiplied those all together and got a “High”.

So can you guys delay the product rollout by 9 months and give me a bunch more money that’s not in the budget so that I can get this thing down to a “Medium”, please?

Again, I just don’t see the problem with Information Risk Management being that our businesses have no idea what the rewards of business might be.  Now maybe we need get a seat in that boardroom just to be able to talk about our “Mediums”, sure.  And maybe we’re infantile in our ability to describe our problem space.  But I cannot fathom that “Risk Management Doesn’t Work” because businesses haven’t been considering “reward”.

WHY RISK MANAGEMENT MAY  NOT BE WORKIN’ FOR YOU

Two meta-categories of causation:

• No skills

and/or

• No resources

Any ancillary “cause” can be mapped to one of these categories.  You could have significant resources but crappy models, and have conversations like our imaginary CSO, above.  You could have really good models and people trained and motivated to use them, but scarce time & money, so no conversation happens.

Now my question for you is - which does it make sense to acquire *first* to solve the “Why Risk Management Doesn’t Work” problems, skills or resources?

OnAir was chosen for A380 service, with the initial rollout--especially for international flights--using the 64 Kbps Inmarsat satellite offering, which is too paltry for anything but limited text communication. When the recently launched Pacific satellite is active--which may take up to a year--OnAir and Qantas can upgrade to the luxurious nearly 500 Kbps per channel service.

The head of OnAir is pushing some mighty serious horsehockey, however, when he says as quoted by Flightglobal that he "is confident that once the full service is up and running, passengers will be able to access the Internet 'in exactly the same way as they can on the ground.'" That may be the case in terms of access, but not in terms of cost. The cost will be enormously high unless OnAir has a magic deal with Inmarsat that's previously undisclosed. I suspect a per MB charge will be in effect that will discourage much use. Calls and texting could be carried over the same system, of course.

Qantas plans to continue to work with Aeromobile for domestic service, with calls and texting available, on their Boeing 767-300s and Airbus A330-200s, Flightglobal reports. Aeromobile has plans to launch a full Internet service later this year using cached and live content. [link via Fabio Zambelli]

Cablevision's already started its rollout: An observant tri-stater at the Cable Rant site spotted Cablevision installers putting up BelAir gear on their cable line. He took some photos.

The service will cost first-class passengers not a thing, but coach will pay €6.50 (US$10) per hour or €13 (US$20) for an entire trip. The train operator is initially equipping 7 trains, but will complete work on all 26 trains by October. Trip durations run from 1 hour 20 minutes to 3 hours.

Most impressively, the consortium that built the system is using a pretty modest antenna that moves automatically to stay in contact with the satellite. It's 80 by 72 cm (31.5 by 28.3 inches), and plans are to shrink that to something 2/3rds the height when a new dish is certified. Ultimately, IDG News Service reports, the group plans to use 3 cm (1 in) high phased-array antennas that would cover the train's roof. Very, very clever, as it jettisons any moving parts.

Three companies worked on the technology: Telenet, handling the billing and authentication, is a Belgian ISP that also runs hotspots; Nokia Siemens is a well-known systems integrator, and is providing some gear and handling installation and integration; 21Net, perhaps the least-well known partner, has the satellite technology.

This project dates back to at least 25-April-2005, a point at which 21Net and Nokia Siemens announced a successful test on the Thalys run from Brussels to Paris.

The companies also said that AT&T high-speed DSL and fiber customers will gain free access at 7,000 Starbucks starting May 1, but as other eagle-eyed readers have noted, that option is already available on any T-Mobile login page that anyone's written me about or I've seen. The difference will be that a separate SSID called ATTWiFi will be available as an option for network selection, presenting a different gateway page.