"We are at an interesting juncture today; there are no threats to information technology for which we do not have the tools to combat them" Reliable Security, Steven J Ross. Information Systems Control Journal, Volume 5, 2008, pp 9-10.
Whether or not the author truly believes that this statement is true, it is a definite attention-getter. Other phrase in the article reads "[...]it appears that we know what to do to achieve information security, but we are not doing it".
My first thought after reading these statements was that the author has no idea what he is talking about, or that he is trying to start a flame war. However, given that the author holds a director position at Deloitte, his thoughts may deserve more consideration.
After giving it some thought, I realized what the flaw in this logic is.
I actually agree with the point-of-view that most (if not all) technology-borne threats can be mitigated or removed.
However, what must never be forgotten is that preventive controls come at a price. And while it may be true that all technology-based vulnerabilities can be mitigated (for example, by stopping to use the technology altogether), the cost of doing so might simply not outweigh the risk of doing it.
Most of the time, I am a firm opponent of the traditional quantified
risk-based approach of calculating the annualized loss expectancy of a
vulnerability and offsetting those cost against the annualized cost of
While this is indeed the way to approach
information security management from a theoretical business-driven
approach, the reality of the matter is that we do not currently have
the body of knowledge required to assess asset value, exposure factors,
probabilities of manifestation, etc.
knowledge in the information risk management discipline is much too
under-developed to adopt this method of creating an objective and
rational approach to investment decisions.
using common sense and maybe perform some qualitative guestimating
every now and than will argue in favor of my opinion: It may be
possible to mitigate any technology-borne risk, but the cost of doing
so will usually be prohibitive. It is unfortunately that Ross neglegted to emphasis this in the article.