risk

Risk management/analysis is primarily an exercise for upper management. It is their responsibility to initiate and support risk analysis and assessment by defining the scope and purpose of the endeavor. The actual processes of performing risk analysis are often delegated to security professionals or an evaluation team. However, all risk assessments

Sometimes even small uncertainty reductions can be worth millions of dollars.

The third philosophical shift has to do with our attitude toward risk. In Medicine 3.0, our starting point is the honest assessment, and acceptance, of risk—including the risk of doing nothing.

If you don’t research why new mild anomalies happen, you deserve all the upcoming incidents.

The reality is that we all tend to maintain the status quo and “keep doing what we’re doing.” This is something we have to recognize and often work to overcome. In organizations inertia can be a reason for retaining positive habits, and it can also be a reason for continuing behaviors that were never consciously started.

What you want to know is whether you have less uncertainty after considering some source of data and whether that reduction in uncertainty warrants some change in actions.

In 2010, Michael Hayden, the former director of the NSA and CIA, made a darkly prescient point in a keynote at the Black Hat security conference in Las Vegas, speaking to a crowd of programmers, security engineers, and hackers. “You guys made the cyber domain look like the north German plain. Then you bitch and moan when you get invaded,” he said.

Scenarios are powerful. Clear, well-written scenarios should be a first-class skill for security professionals and a core part of how security teams work together. Taking the time with others to be clear about the scenario you’re concerned about is a matter of keeping everyone moving toward the same goal.