For many years, the most commonly accepted standard model of risk has been the verbatim formula (or a close variation of it):
risk = [likelihood of threat] * [consequence of threat] * [asset value]
This model is the foundation of most risk management activities; it was a topic in several RSA Conference 2014 sessions, including Malcolm Harkins' "Business Control and Velocity: Balance Security, Privacy, Ethics & Balance Risk" as well as the "Advancing Information Risk Practices" seminar. This model has worked for years, and it should continue to deliver reasonable estimates of risk well into the future. However, the individual variables that feed the equation—likelihood, consequence, and asset value—are changing dramatically, and security and risk professionals need to ensure that they're properly quantifying these three criteria, or the value that this equation provides will rapidly fade.
The adoption of a slew of new technologies has quickly changed what these three variables represent. Let's start with the most tangible one, asset value. Historically, information security has been about protecting data: cardholder information, health care data, personally identifiable information—regardless of the specific scope, the focus has long been on the data that's processed, stored, and transmitted by technology, not the actual equipment itself. In today's "Internet of Things," that has fundamentally changed. Today, devices that can affect the real, physical world—not just data—must be included in the risk model. From IP network-connected "smart" appliances, including thermostats, refrigerators, and meters, to critical infrastructure equipment such as PLCs, the possibility of a malicious attack affecting not just data, but the world around us, is greater than ever. That means that, from the perspective of the standard risk model, the concept of asset value needs to be adapted to measure not only the direct value of data, but also the value of unanticipated environment impacts.
The concept of consequence is also greatly affected by the adoption of newer technologies and technology management approaches. Let's look at BYOD mobile for a moment: hundreds, possibly thousands, of individual employees connecting their own mobile devices to the corporate network and commingling data between the enterprise and their personal lives. For both the user and the enterprise, this model means increased consequence: if the device is compromised (say, through malware, physical theft, or other means), the data of both the individual and the corporation are in jeopardy. In that case, calculating the consequence of damage needs to take into consideration the value for both parties. This makes identification of this value incredibly difficult.
Perhaps the most difficult variable in the standard information risk model to address is, and has always been, likelihood. The concept itself—"how likely is it that a threat will occur?"—is very subjective. But the adoption of new technologies such as the cloud has made this an even more difficult measurement to estimate. In the cloud world (and specifically, the public cloud), it's difficult for customers to get visibility from the cloud vendor. The more complex the service—moving up the ladder from IaaS to PaaS and SaaS—the less information is typically available to the buyer, exacerbated by an unprecedented level of shared services among cloud customers. Your application and data may be partitioned logically apart from another public cloud customer, but certainly not physically. What happens when, through no fault of your own, a customer's VM running on the same physical server cluster as yours is seized as part of a criminal data forensics investigation? The traditional concept of "likelihood of threat" becomes geometrically more complex as customers lose control of, and visibility into, the details of how their data is processed and stored.
So, does this mean that the traditional model of information risk is in jeopardy? Probably not, but it does mean that organizations need to ensure that they have a good understanding of the scope of threats that can potentially affect their enterprise, and they need to fully grasp the potential impacts of technologies they use, whether those are traditional servers, desktops, and laptops, or more modern technologies such as the cloud, BYOD mobile, and the "Internet of Things." Otherwise, the reliability of the concept of risk will rapidly lose its value.