Imagine a world where the majority of people who claim to “do” software engineering do not know even basic concepts that are taught in computer science 101 classes, such as basic data structures and why they matter. A world in which most accountants didn’t know how to read a P&L or a tax return.
From an information risk management (IRM) perspective, we do live in that world.
I delivered my presentation, “The New School of Information Risk Management,” over a year ago at a conference of IT auditors and risk managers. A common response to my presentation was that it contained “too much” math; people were hoping for practical tips on how to do risk management. I found this reply baffling. Again, imagine if someone with the job title of software engineer said, “I don’t need to know computer science or even how to program; I am a software engineer.” Or an accountant who said, “I don’t need to know how to read a P&L or a tax return; I’m an accountant.”
Such people are, despite appearances, obviously speaking a different language than what I speak. In my language, it makes no sense at all to say that one can “do” risk management without even the most basic understanding of probability theory. In my opinion, the minimum bar for competency as a risk analyst or manager, regardless of the kind of risk to be focused on and even if they use so-called “qualitative” methodologies, includes understanding:
- the difference between the frequency and epistemic interpretations of probability (and why it matters);
- Bayes’ theorem and the definition of conditional probability; and
- the base rate fallacy and how to avoid it.
If a person does not understand (and refuses to learn) these entry-level risk concepts, I assert they have no business doing IRM professionally.