Risk management techniques can be used to decide which security and privacy aspects are important. You can simplify the risk impact calculations by identifying low, medium and high and critical losses, and by taking likelihoods from the industry to do likelihood calculations. This helps you to identify a few key risks, and ruthlessly ignore the rest.

Charles Weir gave a workshop on ruthless security at XP 2023.

Ruthless security is about taking ruthless decisions about which kinds of security and privacy actually matter, and which should we ignore, Weir explained. The way to evaluate risk is to break it down into manageable and understandable chunks. You identify different kinds of risk, and for each kind, you figure out the impact; it’s usually easiest to estimate impact in terms of the money lost.

There will be a range of possible losses from any given risk, and it’s impractical to try and work out exact numbers, as Weir explained:

It’s usually reasonably easy to work out, say, whether a loss is low, medium, or high, he said. What matters is that everybody agrees on what those low, medium, and high values mean.

For each kind of risk, you also figure out the likelihood: what is the chance of something happening in a given year? Weir mentioned that they identified a set of possible types of risk, and the order of magnitude likelihood of each happening in a typical company. They created risk cards, where each card identifies a type of risk in the form of a short story telling how the risk occurs, and gives a likelihood for that risk happening in a year.

You multiply the impact and likelihood to give an "expectation of loss" for each kind of risk, which you can think of as the amount of money you expect to lose annually due to that risk, Weir described.

When a team has constructed their list of risks, it becomes obvious which ones are worth worrying about, and which people can safely ignore, Weir argued. Both probabilities and impacts are expressed as orders of magnitude, so you multiply them by adding the orders of magnitude together as logarithms.

Usually, you will get only one or two key risks that have the highest order of magnitude expectation. Those are likely to be the only risks you need to worry about, and you can usually ruthlessly ignore the rest, Weir concluded.

InfoQ interviewed Charles Weir about ruthless security.

InfoQ: How would you define risk-based security?

Charles Weir: The big problem is that developers are not being given the time to act on the security problems they found, and frequently not even the time to look for them. Developers can only get the time if it is in the interest of their stakeholders.

The best and most commercially convincing way to decide about security and privacy—or anything else—is to put numbers on the decision, preferably financial numbers. And the way risk based security does that is to look at the different possible risks and see how big each one is numerically.

InfoQ: How do impact thresholds help to estimate potential losses?

Weir: The first step is for the team to agree what, in the context of the particular project being considered, would be considered low, medium, and high. The particularly important thing we have found is that these are usually orders of magnitude. Thus, the thresholds—the boundaries between them—will be in factors of 10 or so. If the lowest were €1000, the next might be €10,000 and the highest threshold €100,000.

InfoQ: How do risk cards work and what benefits can they bring?

Weir: To use risk cards, people consider each card in turn. They brainstorm their own ways in which that kind of risk may happen in their project, and assess the likelihoods based on those on the risk cards. And they also estimate the impact of each as low, medium, high or critical. And thus they can calculate a #loss expectation# for each kind of risk.

InfoQ: How do you integrate security and privacy practises into agile development?

Weir: This risk list is a document, a deliverable for the project and it is maintained in an agile way over the lifetime of the project. Typically, it might get revisited every few months, but the key risks will be assessed for each new story that developers tackle.

InfoQ: If people want to learn more about ruthless security, where can they go?

Weir: The Hipster project (Health IoT Privacy and Security Transferred to Engineering Requirements) explores how software development teams and product managers can work together to identify risks and privacy issues. It provides materials that you can download to run your own workshop.