the importance of risk awareness

Feeling secure is not the same as being secure. Both are desirable objectives and they're somehow related. But one does not necessarily follow from the other.

In many cases, my 'being secure' depends on my being cautious. If I'm risk-aware, I will avoid actions which could increase my vulnerability. In a way, I will be more secure partly because I don't feel secure.

So, what happens when a system successfully makes a user feel secure? How does that affect her vulnerability, her 'being secure'?


that old narrow path

Organizations want to (appear to) be ethical, thus avoiding bad publicity. 3 problems with this (semi-)noble goal.

There is no universal ethics, no standard for right and wrong.

Ethics cannot be imposed by decree. Proclaiming common values does not make common values. Management sets the tone but it's down to the integrity of co-workers.

Ethics is not about publicity. It's about doing right when there are no witnesses and I could get away with anything. Ethics begins with you and me, here and now.


yet another bad day for heroes

When everything goes wrong, a hero saves the day in the face of looming disaster.

In some places there seems to be an awful lot of days when all goes wrong. Enter objectives, roles and processes. All frightfully boring concepts but they lend an air of predictability to an enterprise. With less chaos and fewer surprises, we can get a grip on risk and this is basically what it takes for a business to grow up.

So, in that sense there's no place for heroes in the culture of a mature organization.