Learning Library

← Back to Library

Brakes Teach Risk Analysis

11mUnknown ChannelsecuritytutorialintermediateWatch on YouTube ↗

Key Points

  • Brakes aren’t just for stopping; they enable high‑speed performance by providing a way to manage risk, just as risk controls let us take calculated risks safely.
  • Effective risk analysis—identifying threats, gauging likelihood, and estimating impact—should be the first step in any system design, informing policy, architecture, implementation, and operation.
  • Most organizations skip or postpone risk analysis, leading to ad‑hoc implementations that must later be re‑architected and audited, creating inefficiencies and potential failures.
  • Our intuition often misjudges actual danger (e.g., fearing shark attacks over the far more common cow‑related deaths), highlighting the need for data‑driven risk assessments rather than gut feelings.
  • A disciplined risk‑first approach ensures policies are grounded in realistic threat evaluations, which in turn produces robust, purpose‑aligned architectures and smoother operational outcomes.

Sections

Full Transcript

# Brakes Teach Risk Analysis **Source:** [https://www.youtube.com/watch?v=_c2L4z-v06g](https://www.youtube.com/watch?v=_c2L4z-v06g) **Duration:** 00:11:12 ## Summary - Brakes aren’t just for stopping; they enable high‑speed performance by providing a way to manage risk, just as risk controls let us take calculated risks safely. - Effective risk analysis—identifying threats, gauging likelihood, and estimating impact—should be the first step in any system design, informing policy, architecture, implementation, and operation. - Most organizations skip or postpone risk analysis, leading to ad‑hoc implementations that must later be re‑architected and audited, creating inefficiencies and potential failures. - Our intuition often misjudges actual danger (e.g., fearing shark attacks over the far more common cow‑related deaths), highlighting the need for data‑driven risk assessments rather than gut feelings. - A disciplined risk‑first approach ensures policies are grounded in realistic threat evaluations, which in turn produces robust, purpose‑aligned architectures and smoother operational outcomes. ## Sections - [00:00:00](https://www.youtube.com/watch?v=_c2L4z-v06g&t=0s) **Untitled Section** - - [00:03:03](https://www.youtube.com/watch?v=_c2L4z-v06g&t=183s) **Self‑Knowledge Shapes Risk Tolerance** - The speaker argues that effective risk analysis begins with understanding one’s own risk appetite, illustrating this with analogies ranging from train‑averse travelers to parachuting thrill‑seekers, and notes that organizations mirror individual risk preferences. - [00:06:08](https://www.youtube.com/watch?v=_c2L4z-v06g&t=368s) **Assessing and Responding to Risk** - The speaker explains how organizations gauge risk by considering tolerance levels, asset value, likelihood, and mitigation costs, and outlines response options like avoidance or acceptance. - [00:09:11](https://www.youtube.com/watch?v=_c2L4z-v06g&t=551s) **Balancing Quantitative Error and Qualitative Risk** - The speaker cautions against over‑reliance on precise numerical estimates that compound errors, promotes using high/medium/low qualitative risk assessments, and illustrates the principle with a meteor‑proof car example showing how cost influences the decision to mitigate a low‑probability risk. ## Full Transcript
0:00Why do you put brakes on a car? 0:02So you can stop, right? 0:03No. It's so you can go really fast and if you don't believe me How likely are you to get in a car that has no brakes? 0:11Not at all, right? 0:13And if you think about it this way. 0:15The fastest cars in the world are the ones with the best brakes. 0:18They have to have that so that they can take risks. 0:20So that they can manage risk. 0:22We all have to take risks. 0:24And brakes are essentially a mechanism for managing risk. 0:28Ok. I want to take a look in this video at what risk analysis is about, 0:33and how it relates to cybersecurity, 0:35and in particular, stay through to the end because I've got two more trick questions for you. 0:40So, pay attention. 0:41Risk analysis is the process of identifying potential threats, 0:45evaluating how likely they are to happen, 0:47and estimating their impact, 0:49so you can make informed decisions and reduce negative outcomes. 0:52When should you do it? 0:54Well, unfortunately, most people do it last, or they don't do it at all. 0:58They start with implementation, 1:00and then from there 1:02they move into operation. 1:04So that sounds fine if all you need to do is just run a system, 1:08but in reality, You need to also take a look back and see if your system is doing what you intended it to do. 1:14So that's an audit step. 1:15Where we then do a look back. 1:18What you will find during that step though, is probably since you started with no plan, 1:22You don't really have a very operational system. 1:26So in fact, what we need to do. 1:28Is go back and re-architect. 1:30This system. 1:30Come back with a larger overarching plan 1:33that makes the thing make sense. 1:35Then we move to implementation and operation. 1:40What should architecture be based on? 1:43Well, it should be based on policy. 1:45And what should policy be based on? 1:48Now we're back to risk analysis. 1:50Risk analysis is where all of this discussion should begin. 1:54It shouldn't be the last thing we do. 1:56In a lot of cases, people don't do it. 1:58When they should. 1:59So start with risk analysis. 2:02And that should inform. 2:03Our policy, which should inform our architecture, and therefore all the rest of the system. 2:10If that's what we need to do. 2:11Then the question is, how good are we at doing this kind of risk analysis? 2:15Intuitively, if we just go with our gut, where are our instincts leading us? 2:20Let's take a look at that. 2:21What do you think kills more people in the U.S. each year? 2:25Cows or sharks? 2:27Well, would you be surprised to know? 2:30That roughly 20 people are killed each year by cow-related causes. 2:35Mostly trampolines and things like that. 2:37So if it's 20 for cows. 2:39How many do you think it would be for sharks? 2:42Would you be surprised to hear? 2:44On average. 2:44It's one person each year. 2:47So which one of these are we far more afraid of? 2:50Probably sharks. 2:52If you go by the numbers. 2:54It ought to be cows. 2:55If you go by the numbers, it shouldn't be shark week. 2:58We should be focusing on cow week, 3:00and now you'll never look at cows the same way again, will you? 3:04Ok So how should we go about doing a risk analysis? 3:07Let's start with some classic advice, 3:09all the way back from 500 BCE when Sun Tzu wrote In the Art of War, 3:14If you know the enemy and know yourself, 3:16you need not fear the result of a hundred battles. 3:19Let's focus on that second part. 3:21The know yourself part. 3:23If you know yourself, 3:24then you have a better idea. 3:26And that's also true when it comes to risk tolerance. 3:29Or risk appetite if you want to think of it in those terms. 3:32So let me give you an example of that. 3:34Some people will not get in an airplane. 3:37They will only take a train. 3:39So if they want to go from the east coast to the west coast. 3:42Then they may be looking at four or five days in the train and then four or five days back. 3:46That's really slow. 3:47That wouldn't work for me. 3:49But that's their risk tolerance. 3:50Very low. 3:51In my case... 3:52I've flown more than 4 million miles. 3:54So I don't mind getting in an airplane. 3:57What I do mind is getting out of the plane before it's on the ground. 4:00And my neighbor has a different risk tolerance. 4:03He likes to get out of airplanes while they're still in the air. 4:06With a parachute, of course. 4:08I don't want to do that. 4:09So there you have three different risk tolerance models. 4:12There's the train, a plane, and the parachute. 4:15Now who's right? 4:17It depends on who you ask. 4:18Obviously each one of us thinks that we're the ones that are right, 4:20but those are different tolerances for danger. 4:24And different tolerances for risk. 4:26Organizations are no different than individuals. 4:29They can have different tolerance for risk, 4:31and if you don't understand that... 4:33You're not gonna know what level of risk your organization is willing to take on, 4:37and you're not going to design the appropriate cyber security defenses for that organization. 4:43So can't we just use some sort of industry solution that fits whatever industry that you're working in. 4:50Well, it turns out that one size really doesn't fit all, 4:53but there can be some common perspectives. 4:56For instance 4:57A manufacturing organization, 4:59If you think about the CIA triad, confidentiality, integrity, and availability, which is what we're doing in cybersecurity. 5:05They're probably going to be leaning into the availability side more. 5:09When they look at risk. 5:10They're concerned about availability. 5:12They want to keep the manufacturing lines moving and operational. 5:17That's their bigger risk. 5:18On financial industry, probably it's much more about confidentiality. 5:23They've got a lot of numbers that really matter to them, 5:26and matter to you. 5:27And they're going to look at very precise risk models. 5:30They're going to use lots of numbers and spreadsheets and actuarial tables and things like that in order to make sure. 5:36That they've got the risk managed to a point that they can tolerate, 5:40and they tend to be very risk intolerant as an organization and as an industry. 5:46And then another industry that you could take a look at is healthcare. 5:50Where their number one concern, and I'm glad it is, is patient safety, so they're going to be concerned about confidentiality. 5:57There are laws that Protect your personal information. 6:01They're probably more concerned, predominantly concerned with your safety if you're a patient. 6:06So they're looking at different kinds of things. 6:08And they're gonna be very risk averse on certain aspects that involve patient safety. 6:13Maybe not as risk averse. 6:14In some other areas. 6:16So you can see. 6:17There's different perspectives by industry, 6:19but I can tell you, you can line up three banks and they may have different tolerances for risk. 6:24One is a train, one's a plane, and one's parachute. 6:28Next, let's take a look at the value of what we're putting at risk, 6:31because not everything is of equal value. 6:34Think about this as a spectrum. 6:36We've got things like the lunchroom menu. 6:38Doesn't matter if anybody really sees that or not, does it? 6:41And then we've got other stuff that's the keys to the kingdom. 6:44That's the existential threat. 6:45If somebody gets a hold of that, we're out of business. 6:48I've got to consider the value, 6:50because not all things are created equal. 6:52Then we conside what's the likelihood is going to be lost or compromised? 6:58Then what's the cost if that in fact occurs? 7:03What's the cost of protection if I'm gonna try to do some sort of mitigation? 7:08In fact, there is a lot of different things that I could figure into this and a lot a different responses. 7:13What could our responses be to risk? 7:16Well one of the things that we could do. 7:18First off, is we could just avoid a particular risk. 7:22Just say, you know what, that's too risky. 7:24I'm not gonna do it. 7:25I'm gonna get into that parachute. 7:27I'm going to put myself in that position to begin with. 7:30Another thing you could do Is accept a certain risk. 7:33That's what I do when I get into an airplane. 7:35I accept that I can't control that, 7:37but I'm willing to accept it. 7:38In an organization can simply choose to do that and realize that everything we do has a certain amount of inherent risk in it. 7:46Another option is transfer risk. 7:48An organization may document, and they may even get a legal contract that says, 7:52If something breaks in this case, if this happens 7:55It's not our fault, 7:56and it belongs, the risk and everything is born by someone else. 8:01Another thing we can do is indemnified. 8:03Which is a big fancy word that basically just means buy insurance. 8:07So that way, if something does occur then the insurance company pays us back, 8:11and we're made whole again. 8:13So that's another thing. 8:14Now, the thing that... 8:15Techies like me generally run to first off. 8:20Is maybe the last thing to consider, and that's mitigating the risk. 8:23Block the risk. 8:25Put in some sort of compensating controls some way so that we don't have to just accept or mitigate or accept or indemnify or things like that. 8:34In this case we're going to put in some kind of technological control or some type of procedural control 8:41that makes sure that we're not going to see this happen to us, 8:44or at least lessens the likelihood to a level that I can tolerate. 8:48Another thing to consider in all of this is this debate about quantitative versus qualitative risk assessment. 8:55A quantitative risk assessment would take a lot of this kind of information, 8:59use those numbers, put them into spreadsheets and let those things guide all of our decisions. 9:03It's not a bad way to go, but don't be a slave to your spreadsheet. 9:08Don't let the spreadsheet make the decisions. 9:10You should make the decisions. 9:12So another way to look at this is instead of 9:15going with all of these numbers, which have a certain amount of error included in all of them, and sometimes we get lulled into a sense of complacency 9:22because we have all these numbers and we think well we've got all this level of precision, 9:27but if each one of those numbers was based on an estimate 9:30then we're just compounding the error as we add all of those things together. 9:34So sometimes we do need to use our gut and our instinct on this to some extent, 9:39and a qualitative risk assessment 9:41involves things like assigning high, medium, and low levels of risk with things. 9:45So we put all of these things into the soup 9:48and out of that comes our risk analysis. 9:51Now we understand 9:52what it is we need to do. 9:54Okay. Now for the third and final trick question. 9:58What if I could sell you a capability that would meteor proof your car. 10:03Let's assume I'm honest and let's assume this actually works. 10:06That if you buy this from me, 10:08your car will never be hit by a meteor. 10:10Would you buy it? 10:12Most people are going to say no, 10:14and they say that because they think the likelihood of that Is extremely low, 10:18and they'd be right, 10:20but I'm gonna tell you a better answer instead of just saying no, 10:23would be to ask me a second question, 10:25and that is. 10:27How much does it cost? 10:28Because you assume that it might be expensive and it's not worth that level of risk, 10:33but what if I told you the cost was just a penny? 10:35Well, I think you probably would be smart to buy that defense. 10:39Because it's a low risk, but it's low cost. 10:41So it might work out for you. 10:44If I was at the car dealership. 10:46I might lay down a dollar and say. 10:48Give it to me and the next 99 people that come by as well, 10:50because I'm a big spender. 10:52So there you go. 10:54That's a discussion of risk analysis, 10:57and you see that cost matters when it comes to these things. 11:00This is not done in the abstract, 11:02in the end, it's all about understanding risk and picking the appropriate response to it. 11:07The result, if you do it right... 11:09Better defenses, 11:10and a tougher time for the bad guys.