Computers, network and information security, seems to comfortably qualify as science, but science alone is not enough. Tripwire security systems developer recently conducted a poll in conjunction with the Ponemon Institute to learn whether it professionals manage risk "Science" or "art." Ponemon 1320 interviewed respondents throughout the United States and the United Kingdom: it professionals working in information security, risk management, it operations, business operations and compliance. Participants were asked, "in your opinion, is the management of information security risks" art "or" Science "?
Ponemon determined two concepts for the purposes of the survey. "Science" refers to decisions based on objective, quantifiable indicators and data. "Art" refers to the analysis and decisions based on intuition, experience and holistic view of the organization. Two-thirds of those who have it and enterprise risk management or business-side operations "art", with almost two-thirds of respondents who work in the it security and it operations chose "science."
Tripwire CTO Dwayne Melancon, weighed in with some thoughts on the results. It considered that those who work in business operations and risk management in general do not believe that the answer is necessary to make a decision, so they benefit art. Those who work in it operations and security, on the other hand, look at the world of risk management as a math problem with a concrete response, so what they see as "Science".
Melancon said that the gap between art and science that is the crux of the problem when it comes to effective risk management. "People with these points of view are saying the same thing, but they use very different language that can make it difficult to arrive at a mutually agreed point of view".
The simple reality is that risk management is the art and science. Computers are the exact tools that work exclusively on zeros and ones. Computers-how they work, how they can be attacked, and how to manage risk and protect them are devices that function on a scientific basis. But there is also the human factor — in terms of both the attackers and the victims — this adds an element of unpredictability, mixing art with science and intuition.
The attackers are adept at using human factor bypassing security controls. Effective risk management depends on having the right tools in place — science — and bearing in mind the overall picture and realizing that the user usually is the weakest link in the security chain is the art.