Taking into consideration 400-odd Government Departments, Agencies and Commissions, and that there were (conservatively) upwards of 4,000 companies employing more than 200 people in early 2017 [1], plus consultants, then there is a fair base of security risk practitioners across Australian sectors. It is admittedly a conservatively educated guess, but let’s suggest that each Government entity employes at last one person that should be doing security risk assessments – two if you count those in the cyber space (because there is little difference in the methodologies applied). Add another (again conservatively) 6,000 private sector (protective and cyber) security risk practitioners, and 500 consultants and other suppliers, and that equates to 7,300 individuals responsible for the conudct of security risk assessments (and ongoing management of associated programs). There could be triple this number, but it’s a good enough number to make the point.

In nearly 20 years of practising security risk management (to varying degrees of proficiency at various times in my career) I have seen only a handful of security risk assessments that I might consider emulating. 99% were necessarily qualitative, but many were excessively simple, put together purely because they had to be, but otherwise offering little other than what the author wanted to do anyway. There was no reasoning, no intellectual rigour and scant attention was given to integrating assets, threats and risk controls, much less vulnerability, into the narrative and calculations. Minimal justification is given to recommending spending potentially hundreds of thousands of dollars in risk ‘treatments’, and it is hard to get any kind of equivalency/benchmarks out of the results because they are so simplistic.

Then there are those in the middle and those you might describe as being overly complex; the latter are those that have usually been put together with very good intentions. Someone who goes to the effort of creating a VB scripted MS Excel Workbook, linking all of the above elements across multiple worksheets in a way that seeks to facilitate the intrinsic relationships between them all, is clearly thinking about the process. Problems arise in the utility of the product, because most practitioners simply cannot replicate the process. Possibly, the bigger issue is when the logic is faulty though, particularly in view of the myriad of ways that the ‘art’ of security risk management can be conducted. If you have ever read HB 167:2006 in detail you’ll know what I mean.

The truth is that most people seem to find them an embuggerance, a stepping stone to the treatment stage. They essentially are, but they are also a critically discrete stage of the treatment process and thus warrant the highest level of attention; indeed they are meant to be the keystone in protective and cybersecurity planning.

There are many reason why such assessments are often done poorly. Emerging professional maturity levels within the industry (wihout taking anything away from the expert practitioners that are out there), a lack of rigourous oversight, low client expectations and the absence of compelling obligations to do it well. There is also confusion in the marketplace, in terms of advertised services making everyone sound like they have the best solutions/are the most expert.

Those who tend to overcomplicate the process at the expense of practicality should actually be congratulated for knowing that things should be done better and trying to do just that; it’s often easier to scale back to a good methodology than come up with one in the first place. Sometimes it works, and a few of the more advanced approaches have been what I consider best practice, but they are in the minority.

HB 167:2006 and the Security Risk Management Body of Knowledge are great places to start. If you’re a client, make sure to check the methodology, and ideally seek to examine a completed assessment before selecting a vendor. Most consultants will usually be willing to show you a redacted one in hardcopy. In doing this you will be as certain of what you’re going to get as you can be, and be in a good position to determine whether you think the logic makes sense.

All the best, Konrad Buczynski
Principal, SECTARA