Recently I got into a discussion with an insurance supervisor on the topics of risk assessment.
He explained the process of work of actuaries in insurance, and that there are standardized tables of probabilities for an event to occur, like sickness and death, and how it is used to calculate insurance premiums.
After digesting the explanation, my reaction was that I found the holy grail of the Information Security Risk Analysis: All it takes is for enough information of an incident event be collected into a statistical table, and all possible types of information security incidents will have a standardized table of frequency and impact - no more assessments over the entire organization!
And in such a great and utopian solution, at least a quarter of the time the information security personnel will fell like they are doing actuarial jobs.
But I was quickly brought back to reality by the expert in insurance, with a good question: Actuarial tables are compiled based on information that is mandatory to be published - illness, fires, theft, even death.
How will you collect accurate information from information security, when it's not mandatory to publish them?
And he was perfectly correct: Collecting information to compile an actuarial table for information security will be impossible. There are very few companies in the world that will release any information that there was an information security incident if it hasn't impacted the public in a very obvious way.
Also, the value of the impact is calculated in any number of methods, and different items are included in the value, making the valuation of the incident an incomparable attribute from one incident to another.
Having a standardized method for risk assessment in information security based on hard numbers would be great. But since the factors included in any incident are very complex and varying, and also consistent incident reporting is nearly impossible, we will be sticking to the current qualitative methods.
Talkback and comments are most welcome...
Cross-posted from Information Security Short Takes