Lead Image © Helder Almeida, 123RF.com

Lead Image © Helder Almeida, 123RF.com

What's the Risk?

Welcome

Article from ADMIN 46/2018
By
As system administrators, we are continually challenged with balancing risk vs. benefit. In everything we do, touch, or alter, there is risk.

As system administrators, we are continually challenged with balancing risk vs. benefit. In everything we do, touch, or alter, there is risk. Even something as benign as creating a new user account can have far-reaching potential risks and consequences. We must worry about external threats, insider threats, hardware failure, user error, software anomalies, patching, physical security, and our own fat-fingering. Every action we take can result in a very negative reaction. Managing risk is but one of our many jobs. Mitigating risk is our goal. To that end, I have devised a short list of five risk types for my fellow sys admin travelers.

  1. Known
  2. Acceptable
  3. Avoidable
  4. Unacceptable
  5. Unpredictable

Known risks are those that always hang over our heads. These are not risks that we have caused or that someone else caused; they are just risks that exist, and we know about them. For example, creating a user account has known risks. When you create a user account, that user might become an insider threat or elevate their privileges on your system. This is a known risk of creating any user account. Perhaps the user account that presents the greatest risk is that of a service account – especially those with (gasp) elevated privileges. We know this is a big risk, but we sometimes must accept certain risks to get a job done, which leads me to the next risk type.

Acceptable risks are those we know about but must accept as unavoidable. They are a level of risk that we must accept to productively get through the day. There is a risk in connecting your business or home to the Internet. We know that hackers are out there. We know that they want our money, our reputations, our available credit, or some other valuable information, but we also must work in these Internet-connected times. We stay connected 24/7/365, and the threats remain 24/7/365. We can protect ourselves, but there is always going to be some level of acceptable risk that we must take. It is almost impossible to operate and maintain a business without Internet connectivity.

Avoidable risks associated with using non-secure protocols such as Telnet, FTP, and rsync can be avoided by using the secured equivalent protocols. Avoidable risk reminds me of an old comedy gag made popular by Henny Youngman, where a patient says to the doctor, "Doctor, it hurts when I do this." The doctor says, "Then don't do that." If you know of a risk and can avoid it, avoid it. Simple, yet still elusive for some reason.

Unacceptable risks are those that are known, are possibly avoidable, but whose extent is so great that performing the actions would have dire consequences. Unacceptable risks that cannot be mitigated in an IT environment are rare. These days with redundancy, virtualization, ITIL procedures, and better hardware, such as SSDs, the term "unacceptable risk" is almost eradicated from our vocabulary. You would be hard-pressed these days to point to an action that has so much potential for risk that it could not be performed under any circumstances. In other words, unacceptable risk refers to an action whose risk is so great that it cannot be mitigated to an acceptable level.

Finally, unpredictable risks present themselves unexpectedly and without regard to our extensive planning and risk assessment efforts. Unpredictable risks, once a failure has occurred, will almost certainly start a conversation that begins with the question, "How could this have been avoided?" The unacceptable, but fully accurate, answer is, "It couldn't." We cannot predict a system backplane failure or a BIOS update that "bricks" a system – especially if that same BIOS update has worked on 30 other systems. The risk is in performing the action at all, but we cannot accurately predict every failure. If we could, we would not be system administrators; we would have our own TV show called System Whisperer, Hardware Psychic, or I See Dead Systems.

As system administrators, our job is to assess, to mitigate, and to avoid risk while keeping management and users happy simultaneously. The next time someone asks "What is the risk of performing X action?" you can show how you have assessed the five types of risk for each action and be an "Action Hero." (Don't groan. You'll use that in your next meeting.)

Ken Hess * ADMIN Senior Editor

Buy this article as PDF

Express-Checkout as PDF
Price $2.95
(incl. VAT)

Buy ADMIN Magazine

SINGLE ISSUES
 
SUBSCRIPTIONS
 
TABLET & SMARTPHONE APPS
Get it on Google Play

US / Canada

Get it on Google Play

UK / Australia

Related content

comments powered by Disqus