Managing Network Security

Risk Management or Risk Analysis?

Copyright (c), Fred Cohen, 1997

Series Introduction

Over the last several years, computing has changed to an almost purely networked environment, but the technical aspects of information protection have not kept up. As a result, the success of information security programs have increasingly become a function of our ability to make prudent management decisions about organizational activities. Managing Network Security takes a management view of protection and seeks to reconcile the need for security with the limitations of technology.


As one of my co-workers once said: risk analysis ... risk management ... it's all the same thing. I tactically retreated and made strategic plans to provide additional information later. This is later.

The risk analysis people may chime in here and tell me that risk analysis is HOW risk management makes these decisions. I can only speak to this from experience. I have been involved in many management decisions and I have never seen anyone make a management decision relating to information protection based solely on the result of a quantitative risk analysis. Risk analysis may contribute to the decision process, but ultimately, that's not how decisions are made.

So how are they made? If you were in my office, you would see me chuckle as I wave my hands about in response. But before you rush off and figure it's all smoke and mirrors, I'd better tell you that it's really not all just hand waving. In fact, as you will see, hand waving plays just as much a part in risk analysis for information protection as it does in risk management. The real difference is that in risk analysis, the hand waving is hidden within calculations, while in risk management, we wave our hands in front of everyone and call it good (or bad) judgment.

Network Risk Analysis

Nobody really knows an exact way to analyze risks and risk mitigation strategies in a networked environment, but by applying standard risk assessment techniques, we can create a framework for analysis.

Standard risk analysis asserts that we calculate an expected loss (L) by multiplying the probability of each event (p(e)) that can cause a loss by the expected loss from that event (l(e)) and adding these results for all of the events (all e in E).

Mitigation strategies are then optimized by examining each proposed mitigation technique to derive the reduction in expected loss associated with the technique's use, dividing by the cost of the mitigation technique to derive a return on investment (ROI), and applying the most cost effective (i.e., the highest ROI) method first. Apply methods until no technique with a high enough ROI for the organization is left, and you are done.

In theory, we can apply this to a networked system of computers by simply enumerating all of the events for the network as a whole, determining probabilities for each event, calculating the expected loss for each event and the ROI for each mitigation technique, and doing the arithmetic.

It seems very simple and straight forward, but there are a few challenges along the way. Let's look at these:

Nobody to my knowledge has ever performed a full risk analysis of a substantial network, and I doubt that anyone ever will. People that claim to do network risk analysis tend to make sweeping assumptions.

Having said all of this, I am anxious to add a note of caution. There are a substantial number of people who believe that quantitative risk analysis is viable in information protection and who perform this analysis with great rigor. Quantitative risk analysis has been applied to systems and networks of all sizes for many years. Those who believe in it have not perished and they are firm in their convictions. The supporters of this technique are well aware of all of the points I have made here, and they assert that they can still do a good job despite these factors.

Network Risk Management

Risk management takes a completely different perspective on the issues of risk. The basic idea is that everything in life is risky. You win some and you lose some. The object is to make the wins bigger than the losses. Instead of trying to micro-manage technical protection, risk management seeks to make decisions about whether and when to take, avoid, or mitigate risks and how much to spend in the process.

For the risk manager, the range of possibilities goes from not worth worrying about to we lose everything if it fails. The way risk managers decide what sits where in this spectrum is through an understanding of the nature of the enterprise and the role of the particular component in the success or failure of the enterprise.

An astute reader might exclaim that this is the same thing that the risk analysis process provides in its assessment of expected loss, except that risk analysis has more rigor. In an ideal world, that would be true. Unfortunately, it is very hard to encapsulate business sense in expected loss numbers. As a partial solution, some people have tried to encapsulate business knowledge in their risk analysis methodologies, and this has had a positive effect on overall protection management. But I am getting ahead of myself.

Just as risk analysts have a hard time encoding business sense into their risk analysis, it is also very hard to get many managers to understand the risks associated with the application of information technology in their enterprise. Indeed, there is widespread belief among many people in the near-infallibility of computers. After all, if it weren't for our imperfect human programmers, computers would always be right.

One of the side effects of not understanding risks and a general belief in the perfection of computers is the general perception that a computer system is right unless there is some reason to believe that it is wrong. By extension, many people seem to believe that unless a computer displays some indication of having been attacked, it must be secure. In systems that go a step further and proclaim that they are operating in a secure mode (e.g., Netscape which displays a key when it is using cryptographic communication and a broken key when it is not) users tend to believe that this mode is indeed secure against all threats.

Risk managers are people too, and they sometimes fall prey to the same misunderstandings as the general public. The real weakness in risk management is that it is often done by people who don't understand enough about the risks they face

A fairly common technique in risk management is the covering approach. In the covering approach, we create a list of attacks and a list of defenses and identify which defense provides coverage against which attack. The goal of risk management is then to balance coverage with organizational importance. Importance is determined based on managers' assessments of what they are worried about, while coverage is characterized by a qualitative statement about the strength or nature of the coverage against each of the attacks it applies to. In the coverage approach, costs are sometimes identified with defenses, but it is rare that expected loss is associated with attacks. Rather, managers reason about what they are willing to protect against and what they are not willing to protect against, hopefully considering facts of many kinds from many sources.

Perhaps the most important point to be made for the covering approach is that management makes explicit decisions about what attacks are to be covered and how much depth the defense has against each type of attack. In the same process, they explicitly and knowingly make decisions to not cover particular attacks or to protect against them with weak or non-redundant coverage. It is the manager's job to understand the impact of attacks on the organization and to make decisions over time. Managers can then ask themselves questions like:

What can reasonably be ignored for now? What decisions can reasonably be delayed? What can be managed if and when it occurs rather than protected against proactively? What sorts of contingency planning should be considered over time? What can I insure against? What expertise should I bring into the organization to help in these areas? How will this impact other operational decisions?

Unlike the purely numerical prescriptions given by quantitative risk analysis, the covering approach leaves a great deal of management latitude and involves judgments other than the association of numbers to events. The covering approach also gives managers some things that classical risk analysis doesn't give them:

Along with the benefits of risk management approaches like the covering approach, come some potential down sides:


You may be surprised to find out this late in my article that I believe that properly done risk analysis and properly done risk management both work well - but in different contexts.

In large organizations with well-qualified managers, strong technical support staffs, and a high degree of awareness and technical sophistication, risk management has proven highly effective. In organizations with weaker technical staff, less awareness, and less technical orientation, risk analysis provides a viable methods for making reasonable decisions.

But these rules-of-thumb aside, there is one key factor in getting good results from either technique. It is the quality of the individuals who help guide the risk analysis/management process. It may sound like an easy out, but it's invariably true - regardless of the techniques you choose, more experienced people with more knowledge and expertise get better results - and people with less experience, less knowledge, or less expertise get poorer results. Perhaps the most important risk management or risk analysis decision to be made is who is put in charge of the process.

About The Author

Fred Cohen is a Senior Member of Technical Staff at Sandia National Laboratories and a Senior Partner of Fred Cohen and Associates in Livermore California, an executive consulting and education group specializing information protection. He can be reached by sending email to fred at