In a new column for Homeland Security Today, Define, Measure Risk Accurately to Avoid False Sense of Security, FAIR Institute Chairman Jack Jones applauds the Department of Homeland Security and other Federal agencies for taking a risk-based approach to cybersecurity in their new strategic plans – but questions whether they can truly identify and prioritize their risks.
“There is so much confusion and inconsistency in how risk is defined, measured, and communicated in the cybersecurity industry,” Jack writes. While senior government and business leaders expect risk “to be measured as the likelihood and impact of adverse events,” risk analysts frequently identify as risks “cyber criminals”, “the cloud”, “weak passwords” and other things that aren’t events, and so can’t be assessed as risks.
From that confused starting point, analysts often compound the error by assigning high, medium or low ratings to “risks”, based on their own subjective opinions, not the objective model for cyber risk measurement, FAIR.
Homeland Security and other agencies should start defining and measuring risk according to an objective, quantitative standard, Jack writes, “otherwise, the danger exists that a false sense of improved security will creep in, which could lead to even more misguided decisions.”
Read the full version of Define, Measure Risk Accurately to Avoid False Sense of Security on the Homeland Security Today website. It's the first of a series of regular columns for HST by Jack Jones.