We like to think of Security Risk Management as an objective practice. After all - if stakeholders are expected to foot the bill for mitigating risk, they will want to base such a decision on solid ground. They need facts, don't they?
Hold it right there.
What is a fact about risk? Risk concerns potential future events. What facts do we have about the future? That's right. None, whatsoever.
So, in the absence of facts - what can we offer? Is there such a thing as an objective risk assessment?
(some of) my events
- 2018-12-13 Datakommunikation och IT-säkerhet (guest lecturing, Högskolan i Gävle)
- 2018-12-05--07 Teknisk informationssäkerhet (teaching course, Stockholm)
- 2018-11-14--16 Strategisk informationssäkerhet (teaching course, Stockholm)
- 2018-11-06 Certifierad IT-arkitekt (guest lecturing, Stockholm)
- 2018-10-03--05 Operativ informationssäkerhet (teaching course, Stockholm)
last chance...
