Rigorous Quantitative Analysis of Inherent and Residual Risk
Speaker: Rachael Lininger
“Inherent risk” is usually defined as “the risk in the absence of controls,” but that doesn’t actually make sense in information security. What are these free-range assets, gamboling across the internet without protection? What usually happens is we assume some controls – it’s on our network; we’re using reasonable protocols; maybe people log in somehow. But are you assuming the same controls that I’m assuming? This is rarely documented, though we can spend a lot of time after an assessment clearing things up – or explaining how we picked a particular starting point for reducing our risk (and justifying control budget). There has never been a good answer to this problem, and redefining the terms in ways contrary to the language causes more confusion than it solves. However, there really is a simple, elegant solution; you might already be doing it, implicitly. Putting it into words allows us to bring the full power of math to our analyses of inherent and residual risk and explain ourselves to others in a clear and actionable way.