Aspects of Information Risk

Uncertainty about the parameters - and even the definition - of risk is prevalent among information security practitioners, and it cripples their capacity to manage information risk.

Submission to EURIM on the need to improve risk judgement quality when assessing the exposure of critical electronic infrastructure.

Factors that militate against consistent and robust risk assessment in the real world of information security.

The term ‘risk’ is more often misused than applied correctly. Even among risk practitioners, it seems poorly understood, despite being at heart a very simple concept.

Poor understanding of risk is widespread - not just in the domain of information security. Cultural mores can influence how it is perceived to the extent of blind acceptance of critical hazards that result in catastrophe.

Analysis of the background to a public services risk decision that went very wrong.

Sufficient data, adequate granularity and assessment methods that make objective sense are all essential prerequisites if we wish our risk decisions to be trustworthy and usable in the real world.

The significant influence of cognitive biases and rules of thumb is seldom recognised as a disruptive influence on the quality of risk judgement.

Understanding of the most relevant level at which risk should be assessed is critical to success. Current standards are short of guidance on this critical requirement.