Beyond Risk-Based Security

Donn Parker’s approach to security :

“The bottom line is that no matter how elaborate or “scientific” the risk assessment methodology is, whether it is Octave, FAIR, FRAP, or even Dr. Kevin Soo Hoo’s that is the most complete mathematical model of risk assessment methods ever developed, there are no sufficiently valid frequency and impact data that will make the results valid. Business managers
can guess the frequency and impact of a rare loss incident, but an event, circumstance, or enemy unknown to them can materially change the risk, making any security decisions or their implementations the wrong ones done in the wrong ways at the wrong times. And the situation will get worse because of increasing complexity and change of technology, opportunities
for crime, numbers and types of enemies, and potential for loss.”

Making the Case for Replacing Risk-Based Security
Donn B. Parker, CISSP
THE ISSA JOURNAL – May 2006