Comments on: The Risk of Too Much Risk Management http://www.cigital.com/justiceleague/2007/10/26/the-risk-of-too-much-risk-management/ The Cigital Software Security and Quality Blog Fri, 8 Aug 2008 19:02:43 +0000 http://wordpress.org/?v=2.0.11 by: Tom Hunter http://www.cigital.com/justiceleague/2007/10/26/the-risk-of-too-much-risk-management/#comment-3397 Mon, 05 Nov 2007 23:31:28 +0000 http://www.cigital.com/justiceleague/2007/10/26/the-risk-of-too-much-risk-management/#comment-3397 Good article. I think "risk management" get a bad wrap some times and if fact can be misconstrued for "business management". That said, "risk management" should be viewed as a competency and not a function. Risk comes in many flavors and is a part of any activity out there. I think it will take some time before people strat believing this, however. Good article. I think “risk management” get a bad wrap some times and if fact can be misconstrued for “business management”. That said, “risk management” should be viewed as a competency and not a function. Risk comes in many flavors and is a part of any activity out there. I think it will take some time before people strat believing this, however.

]]> by: Justice League » Blog Archive » Additional Thoughts on “The Risk of Too Much Risk Management” [Cigital] http://www.cigital.com/justiceleague/2007/10/26/the-risk-of-too-much-risk-management/#comment-3388 Mon, 05 Nov 2007 15:29:24 +0000 http://www.cigital.com/justiceleague/2007/10/26/the-risk-of-too-much-risk-management/#comment-3388 [...] Cigital Home > Resources > Blog « The Risk of Too Much Risk Management [...] […] Cigital Home > Resources > Blog « The Risk of Too Much Risk Management […]

]]> by: RiskAnalys.is http://www.cigital.com/justiceleague/2007/10/26/the-risk-of-too-much-risk-management/#comment-3308 Tue, 30 Oct 2007 14:58:10 +0000 http://www.cigital.com/justiceleague/2007/10/26/the-risk-of-too-much-risk-management/#comment-3308 <strong>Proper Risk Analysis *Can’t* Mean Unnecessary Controls</strong> Sammy Migues over at the “Justice League” blog from Cigital has written an interesting article on “risk management”.  Basically, he’s saying that we can have too much of a good thing.  Too much risk management creates to... Proper Risk Analysis *Can’t* Mean Unnecessary Controls

Sammy Migues over at the “Justice League” blog from Cigital has written an interesting article on “risk management”.  Basically, he’s saying that we can have too much of a good thing.  Too much risk management creates to…

]]> by: Sammy Migues http://www.cigital.com/justiceleague/2007/10/26/the-risk-of-too-much-risk-management/#comment-3298 Mon, 29 Oct 2007 16:06:58 +0000 http://www.cigital.com/justiceleague/2007/10/26/the-risk-of-too-much-risk-management/#comment-3298 Gratuitous firewalling, proxies in intranets to control surfing, huge logging systems that actually slow down internal applications, etc. I've seen a lot of these happen, not for security purposes, but to control undesirable behavior. Of course, and in my opinion, putting in onerous security controls as the primary method used to catch or deter undesirable human behavior is yet another morass. Gratuitous firewalling, proxies in intranets to control surfing, huge logging systems that actually slow down internal applications, etc. I’ve seen a lot of these happen, not for security purposes, but to control undesirable behavior. Of course, and in my opinion, putting in onerous security controls as the primary method used to catch or deter undesirable human behavior is yet another morass.

]]> by: Sammy Migues http://www.cigital.com/justiceleague/2007/10/26/the-risk-of-too-much-risk-management/#comment-3293 Mon, 29 Oct 2007 13:54:47 +0000 http://www.cigital.com/justiceleague/2007/10/26/the-risk-of-too-much-risk-management/#comment-3293 It undoubtedly does happen in every field. I'm sure there are doctors, lawyers, investors, betrotheds, heads of state, shy teenagers, and millions of others at this very minute looking for one more scrap of information before making a decision. And for many of them, it may be the right thing to do (let's run one more test before amputating). And for others, it may work out okay even if they should have acted sooner (you could have received 0% interest rate last week, but it's only 2.9% now). I think one of the key points here is that when something is a science, we can know or reasonably postulate that there *is* more data that will help us and that we can likely *get it* and then *use it*. "InfoSec," having not reached the evolutionary level of science, often cannot be a "fact-driven" endeavor. Either you get it or you don't. And I'm sure that happens in every field also. Thanks. It undoubtedly does happen in every field. I’m sure there are doctors, lawyers, investors, betrotheds, heads of state, shy teenagers, and millions of others at this very minute looking for one more scrap of information before making a decision. And for many of them, it may be the right thing to do (let’s run one more test before amputating). And for others, it may work out okay even if they should have acted sooner (you could have received 0% interest rate last week, but it’s only 2.9% now).

I think one of the key points here is that when something is a science, we can know or reasonably postulate that there *is* more data that will help us and that we can likely *get it* and then *use it*. “InfoSec,” having not reached the evolutionary level of science, often cannot be a “fact-driven” endeavor. Either you get it or you don’t. And I’m sure that happens in every field also.

Thanks.

]]> by: Dave Aronson http://www.cigital.com/justiceleague/2007/10/26/the-risk-of-too-much-risk-management/#comment-3292 Mon, 29 Oct 2007 12:29:30 +0000 http://www.cigital.com/justiceleague/2007/10/26/the-risk-of-too-much-risk-management/#comment-3292 "[W]ait[ing] for every possible scrap of data" is just the security equivalent of a well known software engineering "antipattern", Analysis Paralysis. Happens in every field, probably.... -Dave “[W]ait[ing] for every possible scrap of data” is just the security equivalent of a well known software engineering “antipattern”, Analysis Paralysis. Happens in every field, probably….

-Dave

]]> by: Mike Coon http://www.cigital.com/justiceleague/2007/10/26/the-risk-of-too-much-risk-management/#comment-3236 Fri, 26 Oct 2007 19:43:28 +0000 http://www.cigital.com/justiceleague/2007/10/26/the-risk-of-too-much-risk-management/#comment-3236 I totally agree on the 'badness' of poorly considered security. The example of personal questions and image identification really hits home as we have a banking customer that requires responses like 'characters 2,3,5, and 7 of your password. Way too onerous for the guy that wants to get in a check the balance on his card. I've also seen a lot of gratuitous firewalling within corporate networks that just adds a lot of friction to the workday. Good Article, Mike I totally agree on the ‘badness’ of poorly considered security. The example of personal questions and image identification really hits home as we have a banking customer that requires responses like ‘characters 2,3,5, and 7 of your password. Way too onerous for the guy that wants to get in a check the balance on his card.

I’ve also seen a lot of gratuitous firewalling within corporate networks that just adds a lot of friction to the workday.

Good Article,

Mike

]]>