Misadventures in Risk Management

We don't always recognize the microdecisions we make over time that, through accretion, combine to create macro results. I just returned from a week of gloriously unplugged vacation to discover that our refrigerator had died. We entered our home expecting it to smell stale, but there was something else in there...a funk that suggested worse things to come. [N.B.: The week before vacation, we had discovered the source of another smell which we feared was a dead animal in the garage; it turned out to be a package of tilapia that had fallen behind a cabinet while moving food between freezers.]

Anyway, we did a quick search of the house and didn't find any obvious signs of where the funky smell was coming from. Then I opened our refrigerator to grab a cold drink, and the full horror hit me squarely in the face: rotting, liquifying food dripped from each shelf. The freezer was even worse. How did this happen?

We did not buy this refrigerator; it came with the house when we bought it. It was *relatively* new, like sometime in the last 10 years, but I didn't know anything about its maintenance history. Correspondingly, there was an ancient refrigerator in the garage that we used as expansion space, and to keep beer cold. Appliances can die unexpectedly, of course, and so my risk mitigation was to keep the higher value items in the newer appliance in our kitchen, particularly meats in the freezer. And so, while the battle axe of a fridge kept plugging away in the garage (a MUCH more hostile environment, as it is not climate controlled), the newer appliance took hundreds of dollars of meats, frozen delicacies, and condiments with it to its premature death.

How did my approach--prioritizing storage of more valuable commodities in a climate controlled environment and a newer appliance--fail? Did it fail? It sure seems like it did. The result was the opposite of what I had intended, and I certainly would prefer not to have the outcome happen again. So I started thinking critically about risk management, and analyzing my decisions and approach explicitly with that lens.

I had recognized a threat--failure of an appliance--which I couldn't directly control, but needed to mitigate to the best of my abilities. So I took my assets (food) and split them based on value, convenience, etc. between what I judged to be a lower risk environment and a higher risk environment. The "mitigation" effort should have lowered the risk of me losing all my food due to a single event (appliance failure). But what about a power outage? Well, that would be bad, of course, but in the time we have lived in this house, we have only had power outages for a few hours a handful of times--not enough to lose all the food, regardless of where it was kept.

No, my risk mitigation plan seemed right. And that's when I remembered--or more accurately, re-remembered--that WE NEVER GET RID OF RISK. Mitigation means you can transfer risk (like via insurance); you can reduce risk (via compensating controls); or you can accept risk (hopefully just latent risk remaining after it has been reduced or transferred). I had reduced the risk, and I had tacitly accepted the residual risk. But now, after actually suffering a loss, I was not satisfied with my previous attempts to mitigate. I estimate that I lost around $600 in food, not to mention the cost of having to deal with the horrific mess, selecting and purchasing a new refrigerator, and all the first world problems associated with the hassle of not having a working refrigerator in my kitchen for a week.

And this is where I started waxing philosophical about how companies envision and manage their own risks. We as a security industry have done a historically poor job of speaking the language of the business in such a way that non-IT executives can truly understand the risks they face. Some (too many!) infosec professionals paper over this inability to communicate in the language of the business with fear, uncertainty, and doubt (FUD). The FAIR model of risk measurement and management is a shining attempt to correct this massive failure, but that's a topic for another time.

How many companies thought themselves well-prepared until they suffered their first major breach? To paraphrase legendary boxer Mike Tyson, everyone thinks they have a plan until they get punched in the face. You sometimes have to FEEL the pain of loss before you truly understand the value in mitigation. And the value of mitigation must include the relative peace of accepting the potential loss if and when you suffer a loss event. We all have stories about how budget or headcount magically comes available after a significant security incident.

This is why our focus has to be on reducing dwell time for attackers, reducing the time to detect and contain and recover from loss events, and ensure that we are speaking clearly and frequently with our business owners about risk management and mitigation.

For me, my new refrigerator includes a monitoring service that will alert me if there is loss of service. I already monitor my electric consumption and service continuously, and (because I'm a huge nerd that loves technology) I will probably use this opportunity to rethink all my home automation and monitoring capabilities. And this is what a loss event SHOULD do--you should reconsider all your assumptions, all your comfortability with risk in your life. Maybe you make some changes. Maybe you decide that you are still comfortable with your approach. But you should never stop examining your choices and what is important to you. Understand your past decisions, but don't be bound by them.

Don't miss these stories: