Controlling risk
In a recent article published online at the JFK School of Government at Harvard - Malcolm Sparrow talked about how controlling risks, is a central challenge for government regulators charged with the task of reducing societal ills and preventing bad things from happening. Professor Sparrow notes there does not seem to be a well-established language for risk assessment.
We think it is interesting to analyze the causes for this situation
1. We believe that US and EU government regulators are responsible for the focus on the compliance process as opposed to focus on cost-effective risk-mitigation (which does have a common language of dollars and Euros). It is ironic that regulation which was primarily created for consumer protection has turned into an onerous corporate audit activity far removed from the original charter of protecting customers.
Regulators generally provide a checklist of things companies must do and in the case of Sarbox, a general statement for financial reporting guidelines (section 404 of SOX). When government uses a regulatory stick with business organizations, we are essentially telling them that research into understanding the root cause of risk, is a non-value-added activity. Ours is not to reason why…
2. However - there an excellent methodology for understanding the root cause of risk already exists and it is complementary to the compliance process. The methodology is called threat modeling. Threat modeling is a mature methodology with implementations from Microsoft and groups like PTA (Practical Threat Analysis) Technologies.
In threat modeling exercises - analysts and business decision makers use a model of assets, vulnerabilities of assets, threats (that attack by exploiting vulnerabilities) and countermeasures (that mitigate threats). Threat modeling provides a common language that any person working in an organization can understand.
You can download the free risk assessment tool PTA Professional - we’d be happy to hear if you also think that threat modeling is a useful tool for risk assessment. Please feel free to contact us at any time by phone or email.