Wednesday, September 23, 2015

About risk and why you want to use the word "threat" very sparingly.

From our I don't know series.

Paradoxically, the more often your users are forced to change their passwords, the less secure they – and you – become.

Lazy as we are, we let the Institute of Risk Management introduce risk:
Risk is part of all our lives. As a society, we need to take risks to grow and develop. From  energy to infrastructure, supply chains to airport security, hospitals to housing, effectively managed risks help societies achieve. In our fast paced world, the risks we have to manage evolve quickly. We need to make sure we manage risks so that we minimise their threats and maximise their potential.

Not surprisingly, there are international standards (ISO standards) relating to risk management, and Wikipedia quotes risk as the effect of uncertainty on objectives. 

There are many specialist publications, such as Risk Management Magazine, and you can study risk management at universities and colleges worldwide. Risk management professionals even write about a strategy for transgender workers under a photo of a Unisex toilette.

On the evening news and in the media, at least 90% of what you see and hear (or 150% if you watch Fox News) is about some kind of risk. If someone wants to make a risk sound really scary, they call it a threat, of course.

As much as the blogster loves the world of IT, the profusion of its use of "threat" and "threat model" isn't helping anyone besides fear mongers.

As funny as it may sound, the extensive glossary of insurance and risk management terms of Dallas, Texas, based International Risk Management Institute does not have the term "threat" as an entry under T. It does have tail and twisting, though.

Threat is an emotionally loaded and, in terms of quantifiable risk, awfully imprecise term - ideal for media use and politics. Add the qualifier "imminent" to it, and you can make a lot of people pull out their rosaries, other praying utensils or guns almost at will.

While the practitioners of risk management have accomplished a lot in making the world safer, they have also either actively brought us - or let themselves be pushed into supporting - some strange regulations.

The elimination of radium paint from clock faces, the demise of the strike-anywhere match, or the electric blanket that no longer is a fire hazard are success stories.

In Germany, on the other hand, our preferred household cleaner and laundry additive H2O is more regulated than "high octane" alcohol and even costs twice as much as a bottle of 80 proof liquor. Aspirin can only be bought at a pharmacy and will get you a friendly product safety talk unless the pharmacist remembers you have acquired several pounds of the stuff spread out over a decade and you look still pretty much alive.

And who doesn't hate having to take off their shoes at the airport?

That's because "threat" was, and still is, used to overrule "risk".

At the end of the day, most of the actual events that determine whether an individual gets to go home after work to his or her loved ones, whether a trip ends safely, whether preparing a meal lands you in a wheelchair for the rest of your life, whether your life savings disappear for good - this and more depends on the willingness of other individuals to do the right thing.

And when people are treated badly by superiors or customers, risk increases - which means you make the world less safe when you yell at a customer support rep or when you don't say something as you witness an employee being treated unfairly by his or her boss.

Selling tainted peanut butter or not refusing to write software that cheats may be some of the outcomes.

Here are just a few people from real life situations you should thank every day for keeping you safe and secure:
The low paid auto mechanic who makes sure the tires are mounted and the wheels bolted on correctly, the food worker who washes his hands every time, the construction worker who destroys an unsafe scaffolding board because he knows the company owner would sell it on to someone else.

We'll end this post with a telling and ultimately scary perception of you and me being risks in everyday life. Here is what the current chief of the federal German domestic intelligence service said at a conference on civil liberties.

It may well be that the politicians say: it is important to us that people can wander around the streets unobserved and uncontrolled, we accept this risk. Then so be it.

[Update 9/24] Last two paragraphs, starting with "We'll end this post".

No comments:

Post a Comment