All documents are in PDF 1.4 format, compatible with Adobe Reader 5.0 and higher
Information Security Risk revisited
Uncertainty about the parameters - and even the definition - of risk is prevalent among information security practitioners, and it cripples their capacity to manage information risk.
“An Isolated Risk of Rain”
The term ‘risk’ is more often misused than applied correctly. Even among risk practitioners, it seems poorly understood, despite being at heart a very simple concept.
What is Risk Anyway?
Poor understanding of risk is widespread - not just in the domain of information security. Cultural mores can influence how it is perceived to the extent of blind acceptance of critical hazards that result in catastrophe.
Caught with our Pants Down
Sufficient data, adequate granularity and assessment methods that make objective sense are all essential prerequisites if we wish our risk decisions to be trustworthy and usable in the real world.
Risk Decision Calibration
The significant influence of cognitive biases and rules of thumb is seldom recognised as a disruptive influence on the quality of risk judgement.
Risk Judgement and Knowledge
Understanding of the most relevant level at which risk should be assessed is critical to success. Current standards are short of guidance on this critical requirement.