Читать книгу You CAN Stop Stupid - Ira Winkler - Страница 44

To address UIL, you need to understand where it comes from. You also need to know where and how to mitigate the loss, and even whether you want to do so in the first place. That might sound counterintuitive. Clearly, you want to mitigate loss as effectively as possible, but only when it makes sense to do so. It is possible that sometimes mitigating a particular loss is more expensive than to actually letting it happen.

To make these determinations, you need to understand how to approach them rationally. Unfortunately, there are many ways people react irrationally when it comes to loss. It is easy to get overwhelmed by anxiety and uncertainty when thinking about loss. It is also easy to be lulled into a false sense of security and ignore loss altogether, because a major loss seems so unlikely, while a minor loss seems unnecessary to worry about.

A similar problem is when organizations resign themselves to loss as a seemingly inevitable cost of doing business. This fallacy is where the sentiment of the user as the weakest link comes from. There is always something that can be done, but organizations, or more specifically, the people within the organization responsible for addressing the problem, don't know where to start or perceive it as useless to try.

To approach risk more rationally, it helps to think of it in terms of value, threats, vulnerabilities, and countermeasures and how they relate to each other. Figure 4.1 represents these concepts as a high-level equation.

Figure 4.1 The risk equation

Looking at Figure 4.1, value is what is at stake. Threats are entities that will do you harm if given the opportunity. Vulnerability is a weakness that can result in harm if exploited. Countermeasures are efforts to mitigate a potential loss.

With specific regard to UIL, we want to differentiate between a threat and a vulnerability. For the purposes of dealing with UIL, you need to understand that a user is actually also a threat. As a threat, users cannot actually initiate loss unless there are vulnerabilities that allow them to do so. And even then, the threat can't successfully exploit those vulnerabilities unless there are insufficient countermeasures to prevent them from doing so.

In other words, yes, a user may have a moment of carelessness or malicious intent. However, the resulting action cannot result in loss unless there is both an environment that allows that user's action to initiate loss and insufficient countermeasures to mitigate that loss. When you understand and embrace the concept of risk from this perspective, you can begin to see UIL is clearly an addressable problem.

In the sections that follow, we will examine each of the elements of the risk equation, beginning with value.

NOTE The risk equation discussed in this chapter is a high-level representation to help deal with risk on a conceptual level. It isn't a mathematical formula intended to be directly used with quantifiable figures. Although some disciplines, such as actuarial science, attempt to quantify risk for business purposes, that isn't our focus. We do, however, discuss practical metrics throughout the book, particularly in Chapter 10.