Risktical – To the best of my knowledge, this is not a documented “Bushism”. But is has some zing to it and it seemed to stick when I was doing a very impromptu mind mapping exercise.
So off we go….
Risk is often thought to be a very complex subject to comprehend – let alone have meaningful discussions about. The reality is that we all probably understand risk better then we think. We make risk based decisions everyday – but yet rarely are we put in positions to articulate the risk elements that went into a decision let alone defend our reasoning.
Performing information security risk assessments on IT projects, operational processes, or other business processes is becoming more and more common in organizations of various sizes. This is what I have been doing for the past three years. Yes, I started out as a piece of clay with half a clue about risk – but thanks to great mentors, a great risk framework to work with, some self-study, a risk management organization that takes this discipline seriously, and business leaders that embrace the information we provide them – I am more experienced with understanding risk, more hardened against not erring on the side of possibility vs. the side of probability and more convinced that at the end of the day information security professionals can enable effective decision making.
There are a few words that come to mind when I think of risk and the discipline of assessing risk – all of which influenced the name of this blog.
Mystical / Uncertainty– There are folks that scoff at the ideal of being able to classify or better yet quantify information security risk. I think it all comes down to one’s person with dealing with uncertainty as well as accepting the fact that this is a fairly new discipline within the information security profession. Are information risk assessment scoffers as skeptical about stock market analysts and their predictions?
Statistics – Uncertainty. Not Binary. Probability. Values between 1 and 0. Distribution. We should not underestimate how many people understand risk concepts – especially business executives and decision makers. Understanding basic statistical concepts as well as being familiar with more advanced statistical concepts is a must for anyone wanting to take this discipline seriously. From my perspective, leveraging a methodology that uses sound statistical concepts is going to be easier to defend, as well as make it easier for users of the methodology to be consistent in their assessment.
Economics – How and why a business allocates its money matters at all levels of the company. Any business minded person wants to ensure that where they apply their allocated money, it is going to have some positive impact on the business. Within information risk management, these funding decisions can be hard to make. But a decision maker armed with the right information can make risk based decisions that can decrease the overall risk the organization may be facing as well as prove value.
In up-coming posts, I will try to lay out a few foundational topics before analyzing some risk scenarios. Some of these scenarios may be based off current events – others may be modeled based off my “imagination”. Regardless, I look forward to sharing my thoughts and having meaningful dialogue.
Posted by Chris Hayes 
