the impeccable historical record

Risk should be objectively quantified.

A quantified risk level guides decision makers in prioritizing how to spend wisely in treating risks. If applied information security is to be realized cost-effectively, the risk level is our tool. It is derived by estimating the risk event in terms of its probability and impact - ideally in monetary terms.

Objectivity in risk quantification requires historical data as a foundation for event likelihood plus a thorough understanding of its business impact.


talking straight

Risk should be objectively described.

If a risk isn't clearly described, it simply isn't understood and will not be effectively treated.

Poor risk descriptions all but ensure that valuable insight from the SRA never reaches the right ears.

Objectivity in risk description requires pedagogy, language skills and sufficient boldness to communicate in no uncertain terms so that all stakeholders will understand the risk - through its interrelated components - the same way we did when constructing it.


infinite expertise with zero bias

Risk should be objectively identified.

This implies establishing timing and scope in such a way that best supports the decision situation which triggered this SRA.

We must also capture the most important risk components and successfully construct combinations which constitute the most relevant risks within scope.

Objectivity in risk identification requires complete knowledge of our system as well as existing threat sources and vulnerabilities plus unlimited creativity and a total lack of bias.


objectivity, anyone?

Objectivity implies a guarantee against bias, intentional or accidental. Emotions or prejudices must be controlled. Objectivity means presenting a just view of the world as it really is.

If a Security Risk Assessment (SRA) is to be objective, three conditions must be met.

Risk should be objectively identified.

Risk should be objectively described.

Risk should be objectively quantified.

All three conditions must be met, or the SRA will not constitute an objective statement about security risk.


objectively yours

We like to think of Security Risk Management as an objective practice. After all - if stakeholders are expected to foot the bill for mitigating risk, they will want to base such a decision on solid ground. They need facts, don't they?

Hold it right there.

What is a fact about risk? Risk concerns potential future events. What facts do we have about the future? That's right. None, whatsoever.

So, in the absence of facts - what can we offer? Is there such a thing as an objective risk assessment?


the importance of risk awareness

Feeling secure is not the same as being secure. Both are desirable objectives and they're somehow related. But one does not necessarily follow from the other.

In many cases, my 'being secure' depends on my being cautious. If I'm risk-aware, I will avoid actions which could increase my vulnerability. In a way, I will be more secure partly because I don't feel secure.

So, what happens when a system successfully makes a user feel secure? How does that affect her vulnerability, her 'being secure'?


that old narrow path

Organizations want to (appear to) be ethical, thus avoiding bad publicity. 3 problems with this (semi-)noble goal.

There is no universal ethics, no standard for right and wrong.

Ethics cannot be imposed by decree. Proclaiming common values does not make common values. Management sets the tone but it's down to the integrity of co-workers.

Ethics is not about publicity. It's about doing right when there are no witnesses and I could get away with anything. Ethics begins with you and me, here and now.


yet another bad day for heroes

When everything goes wrong, a hero saves the day in the face of looming disaster.

In some places there seems to be an awful lot of days when all goes wrong. Enter objectives, roles and processes. All frightfully boring concepts but they lend an air of predictability to an enterprise. With less chaos and fewer surprises, we can get a grip on risk and this is basically what it takes for a business to grow up.

So, in that sense there's no place for heroes in the culture of a mature organization.