Risk Analysis (And Essays) Shouldn’t End in “Um”
Yesterdays atomic essay ended with the line “…um…”
That line probably broke a number of English grammar “rules” and left things on a bit of a cliffhanger.
Neither is a good thing for a risk analysis.
Why didn’t I draw a conclusion or provide the read with a tip to help the read figure out how likely an app is to have security problems?
Because it’s simply not possible.
And that’s a big problem.
A Best Guess Is Still A Guess
For years we saw security claims like “military-grade encryption” or “security seal” from a recognizable name in the security space.
Those claims don’t really mean anything. There are some claims—certifications—that can provide insights into a company’s security if you understand what they are
But you’ll need a deep understanding of the cybersecurity space to grasp their importance.
Verified compliance with frameworks like ISO27001, HITRUST, PCI-DSS, and others set a bar for security and require third party validation that a company meets that bar.
But if you’re not a cybersecurity practitioner, who’s heard of those?
Certainly not the everyday user.
Is There A Way Forward?
If there isn’t a simple way to determine the likelihood of a security incident happening, how can you make an informed risk decision?
You can make a reasonable determination about the data you’re trusting a company with, after all you’ve provided most of it.
To complete the second half of the function, you could assume 100% chance of your data being exposed and then act accordingly.
For sensitive data, this is a reasonable way forward. For data that’s not sensitive, it’s not a crazy approach either.
The problem is that we should have better information. In this case, better guarantees that companies are required to take cybersecurity seriously.
That would start to provide us with the data we need to determine the probability of an issue instead of just guessing.