Risk Analysis Makes No Sense … does it?
- Image via Wikipedia
Take a look at this article.
http://www.zdnet.com/blog/security/security-engineering-broken-promises/6503
You're back? What did you think of it?
OK, now look again, scroll down the section titled "Risk Management". It picks up on a number of themes I've discussed and has this interesting observation:
Prioritization of security efforts is a prudent step, naturally. The problem is that when risk management is done strictly by the numbers, it does deceptively little to actually understand, contain, and manage real-world problems. Instead, it introduces a dangerous fallacy: that structured inadequacy is almost as good as adequacy, and that underfunded security efforts plus risk management are about as good as properly funded security work.
Guess what? No dice:
The author goes on to illustrate a number of ways that the approach we as the InfoSec community have preached and practised makes no sense.