Quantitative Risk Assessments - Possible Or Crack Dream? Bof presented at ShmooCon 2005

by Toby Kohlenberg ( Intel Corporation),

Tags: Security Risk

URL : http://web.archive.org/web/20050404000611/www.shmoocon.org/program.html

Summary : With the increasing need to think carefully about where security dollars should be spent, companies are getting really enthusiastic about the idea of using risk assessments to decide what the "biggest" problems are and what the "best" way to solve them is. Being the engineering dweebs that most of us are, the obvious answer is to find numbers that represent everything and then figure out the answer. E.g. quantitatively.

Unfortunately that seems to fall into the category of a Hard Problem(tm). The only people who come close to doing this are insurance companies and they can't do it for IT-related risk yet. So everyone does "qualitative" risk assessments. E.g. they look at the problem, try to think about it in a structured fashion and then decide the risk, mostly on gut feel. NIST did a study a while back and found that quantitative risk assessments are much much more expensive than qualitative ones and not much more accurate.

So my question to y'all is: Is it ever likely to be possible to perform quantitative risk assessments for security-related risks and if so, what needs to happen (new tech, more data, better ouija boards) to make it possible.