The Art and Science of Risk Management

Tony Bradley@bradleystrategy
Jun 10, 2013 10:30 AM
Tony Bradley, PCWorld

Tony is principal analyst with the Bradley Strategy Group, providing analysis and insight on tech trends. He is a prolific writer on a range of technology topics, has authored a number of books, and is a frequent speaker at industry events.
More by Tony Bradley

Computers, networks, and information security seem to fall comfortably under the heading of science, but science alone is not enough. Security system developer Tripwire recently conducted a survey in cooperation with the Ponemon Institute to find out whether IT professionals consider risk management to be “science” or “art."

Ponemon surveyed 1,320 respondents across the United States and the United Kingdom: IT professionals working in information security, risk management, IT operations, business operations, and compliance. Participants were asked, “In your opinion, is information security risk management an ‘art’ or ‘science’?” Tripwire commissioned the Ponemon Institute to
conduct a risk management survey.

Ponemon defined the two concepts for the purposes of the survey. “Science” means basing decisions on objective, quantifiable metrics and data. “Art” refers to analysis and decisions that are based on intuition, expertise, and a holistic view of the organization.

Two-thirds of those from IT and enterprise risk management or business operations sided with “art,” while nearly two-thirds of the respondents who work in IT security and IT operations chose “science.”

Tripwire CTO Dwayne Melancon weighed in with some thoughts on the results. His take is that those who work in business operations and risk management generally don’t believe a precise answer is necessary in order to make a decision, so they favor art. Those who work in IT operations and security, on the other hand, view the world of risk management as a math problem with a specific answer, so they see it as a “science”.

Melancon explains that the disparity between art and science is the crux of the problem when it comes to managing risk effectively. “People with these viewpoints are talking about the same thing, but they are using very different language, which can make it difficult to come to a mutually agreed point of view.”

The simple reality is that risk management is both an art and a science. Computers are precision instruments that operate purely on ones and zeros. Computers—how they work, how they can be attacked, and how you manage risk and protect them—are devices that function based on science. But there is also a human factor—both in terms of the attackers and the victims—that adds an element of unpredictability, mixing intuition and art with the science.

Attackers are adept at exploiting the human factor to bypass security controls. Effective risk management depends on having the right tools in place—the science—while also having the big picture in mind, and understanding that the user is generally the weakest link in the security chain—the art.