Is Risk Assessment a Snake-Oil Discipline?

I’ve been thinking a lot recently about the usefulness of risk assessment. A while back I had an interesting conversation with Marcus Ranum about the issue. His opinion was basically that risk assessments give companies a false sense of security more than anything else, and that they aren’t ultimately very useful in the long run due to their subjective nature.

I argued that they were very useful despite this fact. I said they do help because — even if they do so in a soft, nebulous way — they get companies thinking about many issues that they might not have been thinking about otherwise.

So I agree it’s not a hard science, and I agree it’s very possible to perform a disservice to a client by telling them that the things found are the only things they need to worry about, a solid risk assessment still results in a net good for the client.

Recently Don Parker got in on the subject too. He came out on Marcus’s side — a fact that doesn’t bode well for my position. He said that the “risk-based” approach should be replaced with some new ideas:

So what are your thoughts? Is the risk-based approach too soft to be useful? Is it based too heavily on the subjective view of the group doing the testing, resulting in arbitrary findings? Or do you think it’s solid? Or is it useful even thought it’s not completely solid? (my current view).

One parting thought — haven’t the insurance agencies have been doing risk for years based on what essentially boil down to intangibles? The chance of falling ill? The odds of wrecking your car? Isn’t this the same type of educated guessing game that infosec risk assessment methodologies are attempting to master? If not, what’s the difference?

I’d like to hear your thoughts.

Related posts:

1. It’s Time for Vendor Security 2.0

2. Explaining Threats, Threat Actors, Vulnerabilities, and Risk Using a Real-World Scenario