A major fault is in the belief that the determination of an objective risk number.is reasonable. Risk is highly subjective and it requires special training for one to learn how to estimate probabilities and magnitudes of loss as described in Hubbard’s book, How to Measure Anything, which I always reference when addressing risk measurement and assessment. We humans are also very bad at anticipating low-probability, high-impact incidents, as Taleb describes in his book The Black Swan, which I am also guilty of referencing over and over again.
So what do we have? Many organizations have developed impressive risk governance processes. But they are built on flawed risk models, which have weak assumptions and are based on unrepresentative model structures. What can one expect from such a situation? We can expect what we get. We get one data leakage incident after another, the next more egregious than the last, and no seeming abatement. We beat up one CISO after another, but little seems to change.
We won’t get any relief unless we come up with workable processes, meaningful assumptions and representative models. Big bucks? Yes. Big benefits? Certainly.
Popularity: 6%
