We cannot measure information risk. Not in monetary terms, not on any quantitative scale.
We can (and must) assess risk through lenses available, but to achieve business relevance we need an element of intersubjectivity. A metric shouldn't depend on what individuals happen to be involved.
Therefore, we need methods based on a common understanding of basic concepts. We could take a vote on what constitutes a "threat" but the fact that we need to take a vote is a reflection of low industry maturity.
(some of) my events
- 2023-01-16---05-28 Sound Engineering I (taking course, Örebro University)
- 2022-11-07---01-13 Measurement Theory and Philosophy of Value (taking course, University of Gävle)
- 2023-01-11 Certifierad IT-arkitekt (guest lecturing, Stockholm)
- 2022-12-05 Datavetenskapliga programmet (guest lecturing, University of Gävle)
- 2022-12-01 Riskförmiddag with Riskkollegiet (lecturing at seminar, Uppsala University)
2013-02-14
2013-02-05
objective it isn't
With all its deficiencies - biases, incompleteness and errors - a systematic SRA is our best hope for tackling security risk.
If we document what perspectives are represented, how risk is constructed from components, how likelihood is quantified - if the SRA is transparent - the reader will know how to use it, what to trust and what to improve.
When I as your assessor do my level best with adequate resources and you as system owner trust me, we can get a lot done. Just don't call it objectivity.
If we document what perspectives are represented, how risk is constructed from components, how likelihood is quantified - if the SRA is transparent - the reader will know how to use it, what to trust and what to improve.
When I as your assessor do my level best with adequate resources and you as system owner trust me, we can get a lot done. Just don't call it objectivity.
Subscribe to:
Posts (Atom)
20230209