One of the most difficult topics to understand and appreciate is risk assessment; in my estimation there are very few people who truly understand and practice risk assessment, even so-called security professionals often fail to do so. Most people with appropriate domain knowledge do well at listing the risks involved in a particular activity and can describe in glorious detail the possible results of the thing at risk, but very few truly appreciate or even consider the relative risk ... the likelihood of any particular risk coming to fruition.

Risks Associated with Pet Vaccinations

I'll bring this back to computing in a few paragraphs but first I'm going to focus on something many of us are somewhat familiar with and that is pet vaccinations. Veterinarians in North America push a lot of drugs into the care of our dogs and cats, most pet owners are familiar with the yearly "shots" touted as necessary in order to keep their pets healthy. There are a very large number of vaccinations available and pushed on pet owners, here are the common ones: Parvovirus, adenovirus, parainfluenza, distemper, rabies, bordatella, coronavirus, Lyme disease, Giardin, and heartworm.

I'm just going to focus on two of the commonly pushed vaccines / treatments: Lyme disease and Heartworm ... I'm not a veterinarian, I'm not an expert in dog health, diseases, or in fact anything related to dogs. I'm just a pet owner who wants to do the right thing for the animals in my care. But I want to be able to decide what is "right" for myself or delegate that decision to somebody I trust. When it comes to vaccinations, I want to understand what the benefits, risks, and costs involved in every vaccine being asked to be put in my dogs. Unfortunately, however, I am only provided with two of those pieces of information: the benefits and costs involved. But I want to understand the risk involved.

I've asked every single Vet I've ever taken a dog to that has asked (expected) me to treat my dog for heartworm, "What is the likelihood of my dog getting heartworm? What is the incidence in South-Western Ontario?" The answer to these questions really never varies very much, it goes something like "heartworm is devastating to your dog ..." followed by as many minutes as you will allow them to describe the very real and awful abuse that heartworm can have on any infected host. I'll always try twice, just in case the question was lost, "I understand that having heartworm is devastating to my dog, expensive to treat, and preventable, I get all that but in any way that you can please tell me how likely it is that my dogs will get heartworm."

The next response will vary a bit, the more intelligent folks tend to read the situation well and tell me that they just don't know that but that the risk isn't zero. More often I'll just get another long-winded explanation about how bad heartworm is. Just before I wrote this I went to the The American Heartworm Society and found the similar question within the FAQs "How big is my pet's risk for heartworm infection? and their answer is equally unsatisfactory, to paraphrase all they say is "the risk is not zero" and then tell you to prevent this from happening using drugs. Now, despite the fact that this is a not-for-profit association, I think it is relevant that their sponsors are all pharmaceutical corporations ... that is just too close to truthiness for me. My  conclusion is that the risk is so small as to be incalculable (for our dogs here in SW-Ontario, not all dogs everywhere) because otherwise they would be using the incidence rate as part of the scare-sale.

Lyme disease, spread by ticks, is similar though the last time I visited a Vet I actually got an answer to my question "there has been one confirmed case in Turkey Point, it is in Ontario now". One case in all of Ontario, Turkey Point is 100 miles or so from where we live and our dogs reside. There are millions of dogs in Ontario but just for the sake of argument, lets say there are exactly 1 million dogs giving the chance of infection a 1 in a million.

That is not zero but is it worthy of the risk of being damaged by the vaccine? All vaccines have the potential of doing harm, every dose contains a non-zero chance of hurting and not helping. But I cannot find out that risk at all, I cannot conduct this risk analysis. I believe that to be a deliberate action on the part of manufacturers of the vaccines. So I choose to interpret that in the most negative fashion possible and assume that the risk from the vaccine is greater than the risk of Lyme disease (for our dogs in our part of the world, not all dogs everywhere). Certainly my pocket book has always been happy with that decision and none of my dogs have suffered because of it. It isn't quite that simple, I am not a monster.

Security and Risk Assessment

The truth about most security-related fields is that they are full of the same sort of behaviour. Risk Assessment is not really practiced, risks are identified, the worst-case scenario for each identified risk is listed, and the required steps for risk mitigation are provided, but rarely will you see any sort of measure of a probability that a particular risk exists. Often the missing information is just not available or is very difficult to ascertain and few professionals would want to guess at anything; though for the record I think security experts should offer their opinion just the same for surely their opinion is better than non-experts!

This behaviour isn't limited to computer security, it is a fear-based response to a lack of knowledge not at all different from the myriad of security procedures put in place to be able to quell civil unrest. For instance, the purchasing of Sound Cannons by Toronto's police department  said to be "necessary" for handling protesters for the recent G20 summit there. Each device cost about $250,000 and would, arguably, be useful in some potential scenarios. Now there may well be other motives involved and certainly "boys like their toys" but the people who approved this expense are relying on these security experts to apply their expertise. If they are asking for Sound Cannons then there must be a real need for them. The need was not quantified but the symptoms were listed (riots are scary things) and the money for these cannons provided ... hopefully all that will be is a waste of money and they'll never be used but isn't there an incentive to use them now that they have them so that they aren't a waste? Isn't there a bit of the tail wagging the dog here?

I see a parallel between a police or military force and the pharmaceutical companies funding the supposed good advice of the American Heartworm Society ... I'm not able to say whether their advice and information is accurate, but I DO know it is self-serving and I find it interesting just what information is not available.

Computer Security Is Different, sort of

Security within our everyday lives is more understandable to most people than computer security; we can relate to large crowds and most adults have at some point seen a mob react either personally or virtually through the eyes of a camera. Few of us could realistically estimate the likelihood of any particular crowd reacting negatively but all of us know it happens with some frequency and we are  often surprised (but always upset) when it does happen.  If a police force said a Sound Cannon  was required in London Ontario to quell the brain-eating cannibals roaming the city very few of us Londoners would agree with the expense. Our experience in the world is enough to know that while there may be brain-eating cannibals somewhere in the world and might even exist in London, Ontario (who is to know?) this is not a risk we need to mitigate ... even though having your brain eaten would be quite devastating. We can weigh that risk and feel confident in our decision.

Even many computer security experts find computers and computer security highly complex and abstract. While some people find it interesting and some find they are particularly good at finding vulnerabilities and others who are sure they are expert at keeping those vulnerabilities from being exploited, none of these people know esoteric computer codes the way all of us instinctively understand the threat from cannibals.

This is why many people find computer security in particular but security in general to be onerous and often seemingly pointless. Sometimes both are true because we allow security professionals to work the same way that we let our veterinarians work; it may be the responsibility of every pet owner to do their own research and make their own decisions, but we put our trust in our vets to make the right decisions for us. We trust computer security experts to keep our software and computing environment 'secure' but it is impossible to prove a negative ... just how many elephants did I keep out of my backyard because of my elephant-repellent? All of them!

It May Not Be Possible, But....

Truthfully, some questions can't be answered and others are very difficult. Unlike medicine, it really isn't possible to compile meaningful statistics; there is no equivalent to a "1 in a million" chance of Lyme disease, we can't ever say "1 in a million computer users" can or will exploit a particular security vulnerability. We have no way of quantifying the risk. But that should not be an acceptable excuse for providing no assessment.

I'm a recognized expert in computer security, at least as it relates to Open Text's ECM Suite, and there is no doubt but that my opinion as to relative risks is superior to a non-expert in the field. I know that security vulnerabilities are not equal, that the likelihood of some breaches is greater than others ... for instance breaches that require access only provided to trusted administrators while always a risk may be an "acceptable" one in some circumstances and a major red flag in others. Note, however, that this is still just my opinion, I can't quantify it any more than anybody else. But my expertise stands alone, it is not mired in conflict nor would I burden myself with thoughts of having to be perfect. Guaranteed secure isn't possible for any web application (or much of anything else either) but reasonable security is.

In fact, it isn't really that hard to be reasonable, you just have to change your thinking a little bit. There is only one reason there is not a bank vault in my basement which is the costs associated with putting it there far exceed the thing it is going to protect ... I don't have anything that a would be thief would want to expend the sort of effort of going through a bank vault, there would be no sense to the vault. In computer security the cost calculations are a bit more difficult  and changing every day, but they are still there. Some vulnerabilities can be exploited essentially for free, others require significant resources to be available and deployed in order to exploit the vulnerability. Like most things in society, often the exploits that are interesting to read about are the least likely to be of concern to most businesses (but are vital to understand for others!)

I've worked in computer security for almost 20 years now, and there has been no major breach of any of the applications and services under my control. I've always tried to put in place not the ultimate secure solution in every case but the reasonable secure solution for each case, one designed to meet or slightly exceed my estimation of how likely a problem is to occur. I don't want to build the equivalent of a bank vault in my basement nor leave my money sitting in my front hall for anybody to walk in and take. I want reasonable security for my house and I build reasonable security for systems.