Donn Parker Suggests Dropping the Risk-Based Approach to Information Security

The May 2006 issue of The ISSA Journal, has an article by Donn Parker entitled Making the Case for Replacing Risk-Based Security (the PDF is only available to ISSA members).

In it he says:

I claim that security based on risk management, risk reduction, and risk assessment is a failed concept.

He suggests replacing the risk based approach with the following:

I propose that intangible risk management and risk-based security must be replaced with practical, doable security management with the new objectives of due diligence, compliance consistency,and enablement.

Since the PDF is not readily available, I will over quote from it in this post.

Regarding risk management he states:

Also, security risk is quite different than business risk that consists of forecasting of investing resources to produce a profit. It also has no relationship to IT risk that forecasts probabilities that a new or changed system or application or development project will be financially successful.


Unfortunately, security risk management has never been demonstrated to be valid. No study has ever been published to demonstrate the validity of information security risk assessment, measurement, and control based on real experience. And without assessment, security risk management is not possible. Therefore, information security as defined in GAISP is based on an unproven concept that is, in fact, not yet shown to be valid.


One CISO told me that he performs risk assessment backwards. He says that he already knows what he needs to do for the next five years to develop adequate security. So he creates some risk numbers that support his contention. Then he works backwards to create types of loss incidents, frequencies, and impacts that produce those numbers. He then refines the input and output to make it all seem plausible. I suggested that his efforts are unethical since his input data and calculations are all fake.

On the upside, he says:

Fortunately, due diligence (or care) based on about forty years of information security experience along with compliance with regulations, legislation, and standards and enablement of business and government to meet their objectives have now become the defacto objectives in spite of all that is written about risk.


My inquiries about how CISOs go about performing risk assessments to meet the requirement lead me to conclude that regulatory requirements can be met by performing a “very high level” assessment that in a few paragraphs describes the dangers that a corporation is most concerned about with appropriate caveats that much is unknown.


With rapidly expanding regulations, risk is transforming from risk of rare incidents to risks of failure to meet the regulatory requirements and the impacts of penalties that might ensue.


I suggest that the reason that top management underfunds, undersupports and underrepresents information security (as reported in the trade media and from complaints by CISOs) is because information security is represented to management as being based on intangible risk reduction that is easily refuted or ignored. Risk reduction is a weak justification for security.

In my experience, risk-evaluation is a mild joke. It is very qualitative and numbers are grabbed from the air to keep the exercise going.

Parker’s replacement suggestion is a sound one: Due Diligence,Compliance, Enablement.

Due Diligence

Information Security Practitioners should show that they are following industry-wide best practices for processes, controls and monitoring. Constant education and networking will be required to maintain this state.


The information security program should be designed around adhering to required and/or recommended standards such as SOX, HIPAA, CoBIT, ISO 17799 (and successors), ITIL, etc. I suspect overtime that business insurers will require compliance to this or possible additional standards as terms of being insured. Practitioners will need to understand this standards backwards and forwards and apply them to protect the organization from legal and reputation problems.


This is the fun part of information security practice. A good security team will plan for and deploy process, products and techniques to enable advantages for the organizations proactively.

My Conclusions:

  • I like the suggested approach and think it is the way to go.
  • I expect the professional groups and information security bureaucrats to resist changing away from the risk-based approach.
  • Kudos to the ISSA Journal for publishing it.

Update: More on this topic at the TaoSecurity blog


6 Responses

  1. […] Donn Parker Suggests Dropping the Risk-Based Approach to Information Security […]

  2. […] I am just starting to read up on the PCI standard(s). They are not simple. I can definitely see where financial service providers that are good at executing complex security standards could have a competitive advantage over those that are not. This ties in well with Donn Parker's ideas on a non-risk based approach to Corporate Information Security programs. […]

  3. […] Financial service providers that can comply quickly and easily have information security programs that bring real value to their organization ala Donn Parker’s recent article. We shall see… […]

  4. […] Others feel they’ve already tried “risk management” and want to move on, and others feel like that might still be an answer – we just need to explore it a little more. […]

  5. […] Don Parker got in on the subject too. He came out on Marcus’s side — a fact that doesn’t bode well for my position. He […]

  6. […] Don Parker got in on the subject too. He came out on Marcus’s side — a fact that doesn’t bode well for my position. He […]

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: