We’re agreed on all points! This whole discussion by blogging thing is somewhat inefficient at times

The nice thing is, I’m starting to mellow on compliance a little as a result.

1. Thanks for clarifying what you mean by the term transfer in your previous post.

2. I agree that compliance may leave gaps (as per your BITS AUP example). Although, that wasn’t the focus of my post. I did not mean to insinuate that compliance could not lead to a “negative impact”, as per your language, due to such gaps.

3. Compliance is still a form of risk reduction. It’s a distinction people seem to forget when they talk about compliance vs. security, as if they have completely different objectives.

Thank you for considering my thoughts and opinions. I’ve written my thoughts on the blog, but I did want to repeat myself here just to clarify.

When you says that best practices are attempts to lower risk, I agree. But organizational risk wasn’t the point of my use of the concept of risk transference in that quote. My assertion is that individuals will be doing risk analysis, whether they like to say they are or not. The only question is with what rigor.

Some people (Donn and maybe Richard) are uncomfortable with their understanding of probabilities. So rather than be wrong in making a belief statement about probabilities, they transfer the risk of being wrong about probabilities to a checklist. This transfer of risk is a completely independent “risk issue” than their capability to lower the risk to their stakeholders. It is a personal risk analysis they’re doing about their ability to perform accurate risk analysis.

Now I believe that checklists and compliance mandates are really inefficient means to lower risk to stakeholders. The other non-FAIR risk assessment methodologies mentioned there less so in theory, but so inefficient in practice as to cause significant frustration.