Risk Management: Objectivist and Subjectivist Approaches

I’m still trying to wrap my head around risk management in the context of information security. On the one hand, I recognize the importance of basing decisions on solid historical data, such as the approach advocated by The New School of Information Security. On the other hand, I recognize that people often disregard data even when they have it, acting upon on factors such as emotions, politics and laziness. Will we have ever have the discipline to make truly objective, evidence-based decisions?

The recent article How to Manage Risk (After Risk Management Has Failed) by Adam Borison and Gregory Hamm outlined how objective and subjective approaches to risk management might co-exist. The authors believe that “assessing risk by formally integrating both data and judgement leads to more useful results.”

The article uses the term objectivist when referring to the perspective that “risk is an objective property of the physical world and that associated with each type and level of risk is a true probability.” Objectivists rely purely on historical data to predict events.

The article uses the term subjectivist to describe an approach that considers “risk to be in part a judgement of the observer, or a property of the observation process, and not solely a function of the physical world.” This perspective complements historical data by other information.

The following example contrasts objectivist and subjectivist views:

Suppose a magician pulls what appears to be a normal coin out of her pocket, allows you to flip it 10 times, and it comes up heads five of those times. She then proposes a wager based on your flipping the coin one more time and getting heads. What probability do you assign to that outcome? A frequentist presumably relies on the “historical” data from this coin (as well as from any other normal coin) and assigns a probability of 0.5. A Bayesian takes not only the data into account but also his judgment about the cleverness, trustworthiness and financial situation of the magician. He may thus assign a probability very different from 0.5 — perhaps as high as 1.0. Another observer might assign an altogether different probability, based on other judgments.

The article’s authors point out that an objectivist approach to risk management that is relies too much on historical data, and doesn’t perform well when such data is limited. They also emphasize that the objectivist view produces a false sense of security “because it encourages practitioners to believe that their actions reflect scientific truth.”

I like the idea of accounting for the person’s experience and the situation’s context as one of the factors when assessing risk. However, I am unclear about the process that we can use to determine the weight that should be assigned to these factors in comparison to historical data. What do you think — is there room for subjective views in a formal risk management model?

Lenny Zeltser


About the Author

Lenny Zeltser develops products and programs that use security to achieve business results. He is the CISO at Axonius and Faculty Fellow at SANS Institute. Lenny has been leading efforts to establish resilient security practices and solve hard security problems for over two decades. A respected author and practitioner, he has been advancing tradecraft and contributing to the community. His insights build upon real-world experience, a Computer Science degree from the University of Pennsylvania, and an MBA degree from MIT Sloan.

Learn more