Risk is not typically lauded as something good. From birth we’re counseled and coached by parents and teachers to avoid it or else bad things will most likely happen. Those same folks endeavor to mitigate risk for us. Our need for risk reduction follows most of us through every stage of life; starting simply with AC outlet covers, bumpers on the corners of coffee tables, skateboard helmets, even childhood immunizations.
In adulthood, risk continues to be avoided whenever possible. The insurance premium you shell out every month is based on incredibly complex risk models that enable the insurance companies to accurately predict the likelihood of a payout. As individuals, we wear seat belts, we eat right, and some of us even exercise. No actions can guarantee with 100% certainty that nothing bad will happen. If they did, those insurance policies wouldn’t be necessary.
In reality, some “big” risks may be smaller than they appear—and some may be larger. The safety record of commercial airlines doesn’t justify the paralyzing fear that many experience at the thought of boarding a plane, but how many of us still say a small prayer when the plane hits bad turbulence at 36,000 feet? Riding in a car without a seatbelt may seem low-risk to some; at least until we get into the accident that we never expected.
Okay, I’ll admit it: a certain amount of risk can be fun. I am not going to dust off any skeletons in my closet in case my kids read this, but I have rock climbed, I have parasailed, I have driven a car at over 150 mph, and I have commanded a tank. To some these activities might seem insane, while others might think I’m a wimp. Everyone has their own risk threshold at which the reward is exceeded by the possible cost.
This past weekend, I started down a path that many consider risky: I purchased my first motorcycle! As the proud new “papa” of a decked-out Harley Davidson Electra Glide Ultra, I’m looking forward to getting out on the open road this summer (if it ever arrives in Minnesota!) and enjoying an experience that I have always envied. Sure, I know I’m seven times more likely to be injured on two-wheeled transportation, but gosh-darned it’s fun!
Risk doesn’t have to mean recklessness. Most risks can be influenced by the amount of precautions that are taken. From bungee jumping to skydiving to spelunking, steps can be taken to limit the chances that the risk will be realized. It might mean safety lines, spare chutes, or a simple seatbelt, but there are usually things that people can do if they want to live to see another day. Although Minnesota state law doesn’t require the use of a helmet, I plan to wear one as others have learned the importance of this protection the hard way—and I’m all for learning from other’s mistakes.
Risk in the world of security is very similar. Risks are present due to hackers, wayward or careless employees, bad configuration settings, and even failing hardware. Many security risks can be reduced with the same precautionary mindset as personal risk. Installing backup systems, performing nightly saves, and activating auditing are common steps. When inexperienced we tend to set out with the goal of eliminating every risk no matter how trivial. But organizations without unlimited budgets learn quickly that there is a correlation between risk and cost: cost to mitigate and costs that will be incurred if the risk is realized.
When starting a security project, experts recommend performing a risk evaluation. Risks should be rated from high (likely to be exploited) to low (unlikely) and costs ascertained for mitigation (reduction or prevention) and damage control (reaction). A matrix can then be developed to allow high-risk/low-cost items to be resolved first. At some point, vulnerabilities might be acknowledged and accepted based on the high cost to mitigate versus the small risk they present.
Regulatory and legislative compliance might be a pain to those who have to comply, but in reality these are the safety guidelines that govern potentially risky business activities. As with most rules, these governances come after someone has already had a mishap. New rules are developed to prevent someone from making the same mistake again.
Powertech has experience helping customers assess risk and allocate limited budgets to get the most “bang for the buck.” This might entail simple tweaks of IBM i’s own integrated controls, or the implementation of a commercial security solution.
If you would like to know more about IBM i security and risk analysis and reduction, send an email to [email protected].
As I write this, news is breaking of the explosions at the Boston Marathon. On behalf of Powertech and HelpSystems, I want to send our prayers to the victims and their families.