Tuesday, April 3, 2012

The Psychology of Acceptable Risk

Let's keep this simple.
Consider residual risk and acceptable risk. Controls are put in place to address known and unknown risk. Your remaining risk that isn't covered is called Residual Risk. If it's not small enough, you add more controls until it gets to the point you are willing to accept the residual. The threshold for the acceptable amount of risk is called Acceptable Risk. Now that that's covered, note the relationship between assurance and acceptable risk.
Assurance is the grounds for confidence that the set of intended security controls in an information system are effective in their application.
(NIST SP 800-37 and SP 800-53A)
What influences your risk tolerance? 
There are lots of interesting angles here. Think about this for a minute. What is it about an environment, a product or solution, that builds enough confidence that you are willing to accept the residual risk and place it into operation?

Can a vendor affect how much risk you are willing to accept?
I believe quite simply, the answer is yes. What other influential factors affect how you feel about a product or solution? Is it *right* that security can be subjective? Certainly, there are additional measures that build your confidence in a particular system such as third party reviews, configuration to *someone's* best practices, penetration testing, or borrowing trust from another system's ability to manage the new system's risk. We often tell others you have to meet a certain stringent, concrete standard to be considered secure. Well, yes, that's right, but there's also the influence of a vendor's history, reputation, communications, sales team, support, engineers, and more that drive your trust in a product or solution to meet your needs.

Where did this come from? 
I thought about this while walking the floor of RSA several weeks ago. It was interesting how much credibility I gave certain products because of their track record, despite any real experience with a particular platform. My biases crept into the picture, thinking about how company "X" *always* seems to deliver sub-par solutions, and company "y" always seems to deliver results. Even if testing of X demonstrated marked gains, my gut is to hesitate and prefer the trusted partner to "get it right".