We cannot measure information risk. Not in monetary terms, not on any quantitative scale.
We can (and must) assess risk through lenses available, but to achieve business relevance we need an element of intersubjectivity. A metric shouldn't depend on what individuals happen to be involved.
Therefore, we need methods based on a common understanding of basic concepts. We could take a vote on what constitutes a "threat" but the fact that we need to take a vote is a reflection of low industry maturity.
(some of) my events
- 2023-11-16 Psychological perspectives on understanding human decision-making in situations involving risk and uncertainty (attending symposium, Stockholm)
- 2023-08-23--24 Riskbaserat arbetssätt (teaching course, Stockholm)
- 2023-05-30 Informationssäkerhet och risk (pod interview in Swedish)
- 2023-05-11 Certifierad IT-arkitekt (guest lecturing, Stockholm)
- 2022-12-05 Datavetenskapliga programmet (guest lecturing, University of Gävle)
Subscribe to:
Post Comments (Atom)
20230802
No comments:
Post a Comment