Risk acceptance – does it really matter?

December 8th, 2009 | by wadew |

play_risk1We’ve all heard the term “Risk acceptance” when it comes to vulnerabilities and security issues in general. Typically, the acceptance of risk instead of actually fixing the issue is due to technical limitations, lack of funding, or just plain laziness. To make things easy on the company/agency’s compliance, the acceptance of said risk is done by a high level executive in the company or a government official who is saying:

“I understand the risk, potential exposure, and impact of this security issue. With my signature, I indicate that I am making the decision to take responsibility for any adverse impact directly relating to the exploitation of the security issue.”

Obviously, this does nothing to improve the posture of the system or application in question…but the real question I’m left with is: what happens to that executive or government official when the system DOES get hacked through a vulnerability with “accepted risk”? Do they get fired? Demoted? Ordered to pay restitution losses?

Sadly, usually nothing happens. The individual continues to collect a pay check, manage employees, and accept risk for the security vulnerabilities that affect systems under their purview.

I ask you, where has accountability gone?

Tags: ,

  • Ben
    I was in a meeting a couple days ago when the "person in charge" uttered that "ok, we'll just accept that risk" phrase... I immediately thought of your post here since no real assessment had been done to fully quantify the "risk"... :)
  • I assumed that the risk accepted by the executive/official was as a result of a finding from an assessment. As in, "yes, we acknowledge that there's a security hole, but we're willing to accept the risk".
  • Gracie
    but what if you know the risk is Low and feel like you are giving a valuable response as a security officer that you recommend they accept the risk?
  • I wasn't really considering low risk vulnerabilities. Theoretically, if the vulnerability can lead to a serious hack, it wouldn't be through a low risk issue.
  • Gracie
    Oh, ok. :) Thanks Wade! :)
  • CG
    nothing happens when they get owned if they are blatantly at fault, why would something happen if they actually did a risk assessment...
blog comments powered by Disqus