What does risk mean? That was the topic du jour for the “Risk Management Smackdown” at the RSA Conference.

Tackling this constantly discussed issue, were the following risk management experts:

  • Moderator: David Mortman, Director, Operations and Security for C3, LLC
  • Alex Hutton, Principal in Research and Risk Intelligence for Verizon
  • Andy Ellis, Chief Security Architect for Akamai Technologies
  • Donn Parker
  • Allison Miller from PayPal

David Mortman was giving out cream puffs for the best comments and questions from the audience.

Here are some of the issues that came up in the discussion:

  • Sam Peltsman once said, “If you make everyone wear seatbelts, then they’ll drive more recklessly.” That quote has proven itself to be true, said Andy Ellis. Risk management is a thorny issue, because if you take away risk, people create more risk.
  • Risk is about making performance more predictable.
  • Using data is an important part of preventing a lot of fraud losses. At PayPal, they have lots of transaction data and this plays a major part in them revealing fraud.
  • Risk is a hypothetical construct. You can’t actually see it in nature.
  • Donn Parker refers to risk management as diligence-based security.
  • Lot of laws and requirements require companies to get involved in unnecessary risk management.
  • An intelligent adversary will change their behavior if they think we can predict their behavior. An adversary’s human behavior is not a matter of chance and it’s not a factor of probability. They’re acting out of free will.
  • “How do you differentiate between stupidity and risk?” asked one audience member.
  • Knowledge, intent, and access are the three factors to calculate fraud. We can’t measure knowledge and intent. We can only measure access.
  • Anything that impacts schedule, cost, and revenue in an unplanned fashion is risk.
  • We can make risk predictions as a group, but what we’re having a problem with is how do you apply the statistics for one group and apply it to the individual? For example, you know there’s going to be a certain amount of fraud in a given year, but will individuals change their behaviors knowing what the fraud statistics are for all users across the country?
  • If you ask someone, “What’s your risk?” it’s impossible to get an answer you can measure against. What does low, medium, or high mean?
  • If you think you’re only one step ahead of your adversaries, then you’re probably very behind. You need to create multiple layers and multiple steps ahead so that you have a buffer to respond when you see outliers.
  • While the panelists all had very different viewpoints on risk, one audience member said they were all right.
  • If you’re in the risk management business and one of your “risk management” levels is labeled “green” then you’re doing it wrong.
  • What is your critical factor? Is it uptime? Is it financial loss? Is it fraud? Then you have to look at those issues that control those factors.

Categories

Tags


Leave a Reply

David Spark

David Spark has contributed 156 posts to The State of Security.

View all posts by David Spark >