objective it isn't

With all its deficiencies - biases, incompleteness and errors - a systematic SRA is our best hope for tackling security risk.

If we document what perspectives are represented, how risk is constructed from components, how likelihood is quantified - if the SRA is transparent - the reader will know how to use it, what to trust and what to improve.

When I as your assessor do my level best with adequate resources and you as system owner trust me, we can get a lot done. Just don't call it objectivity.

No comments: