Risk management

Risk management is concerned with assessing the possible losses that might ensue from attacks on assets in the system and balancing these losses against the costs of security procedures that may reduce these losses. It may be cheaper to accept losses than to protect against the attacks that might lead to these losses.

Credit card companies do this all the time. It is relatively easy to introduce new technology to reduce credit card fraud but the cost of this would be greater than covering the losses of credit card users. As costs drop and attacks increase, this balance may change. For example, credit card companies in many countries now encode information on an on-card chip instead of a magnetic strip. This makes card copying much more difficult. They use a PIN rather than a signature for card validation, thus making it harder for stolen cards to be used.

Risk management is a business issue rather than a technical issue so software engineers should not decide whether it is cost-effective to include particular controls in a system. It is up to senior management to decide whether or not to accept the cost of security or to accept the exposure that results from the lack of security procedures. However, software engineers should provide informed technical guidance and judgements on security issues. They are, therefore, essential participants in the risk management process.

(c) Ian Sommerville 2008