Comments on: Risk / Threat vs. Risk Issue

By: Chris Hayes

Chris Hayes — Tue, 27 Oct 2009 12:18:12 +0000

Thanks for the comments everyone!

@M. Wallace – You should now be able to click on the image and it should open a new browser window and be easier to view. Thanks for catching that!

By: M. Wallace

M. Wallace — Tue, 27 Oct 2009 11:51:30 +0000

I’d like to noodle the diagram. But I’m over 40. The text on the diagram is below the “greeking” level.

By: Saso

Saso — Mon, 26 Oct 2009 22:35:57 +0000

Sounds much like the reasoning we used at my current employer to get everyone on the same page w.r.t. issues and risks; things to worry about and address and things that we can’t influence one way or another: things to live with and monitor.

Ended up with the following definitions to make it easier for everyone to see where we’re coming from:

risks: assessed (guesstimated) PLM and LEF. Not necessarily eventuating in the next 6 – 12 months even if their LEF hints at this;

issues: risks that are bound to come and bite you in the behind in the coming 6 – 12 months unless something is done about them right now. Stuff raised by auditors usually falls in this category. You ignore them at your own peril. (The quality of issues they raise is up for discussion, but ignoring them is usually not the smartest thing to do.)

By: Interesting Information Security Bits for 10/26/2009 | Infosec Ramblings

Interesting Information Security Bits for 10/26/2009 | Infosec Ramblings — Mon, 26 Oct 2009 19:40:58 +0000

[...] on risk/threat vs risk issue. When does a risk or threat become a risk issue for your organization? Risk / Threat vs. Risk Issue << Risktical Ramblings Tags: ( risk [...]

By: shrdlu

shrdlu — Mon, 26 Oct 2009 18:15:36 +0000

Very true. You might say that “risk” = “possibility” while “risk issue” = “probability worth paying attention to”

This is especially important when the elevation from “risk” to “risk issue” is being caused by something your organization (or its staff) is doing.