Alex on Science and Risk Management
Alex Hutton has an excellent post on his work blog:
Jim Tiller of British Telecom has published a blog post called “Risk Appetite, Counting Security Calories Won’t Help”. I’d like to discuss Jim’s blog post because I think it shows a difference in perspectives between our organizations. I’d also like to counter a few of the assertions he makes because I find these to be misunderstandings that are common in our industry.
“Anyone who knows me or has subjected themselves to my writings knows I have some uneasiness with today’s role of risk. It’s not the process, but more of how there is so much focus on risk as if it were a science – but it’s not. Not even close.”
Let me begin my rebuttal by first arguing that risk management, at its basis, is at least ”scientific work”. What I mean by that is elegantly summed up by Eliezer Yudkowsky on the Less Wrong blog. To use Eliezer’s words, I’ll offer that scientific work is “the reporting of the likelihood ratios for any popular hypotheses.”
You should go read “Risk Appetite: Counting Risk Calories is All You Can Do“.
I agree that risk management is a science … because of the rigorous risk assessment process that it follows to determine threats, threat agents, vulnerabilities, likelihood ratings, impact levels, and risk. Followed by risk handling to determine whether we accept the risk, transfer it, transform it, or mitigate it to an acceptable level. This is a very quantitative process. Too often people try to give a simplistic qualitative level of high, medium, or low to a risk statement without actually studying what created the risk in the first place!