ITMPI FLAT 004
Main Menu
Home / Uncategorized / Six myths of risk assessment

Six myths of risk assessment

How many of these risk assessment myths do you believe? David Lacey’s blog post suggests that there are probably a good number of security practitioners in the world still apply risk assessment in a non-intuitive way. To help clear the air and provide a bit of a public service, Lacey list six myths that he runs into quite often and can dispel:

  • Risk assessment is objective and repeatable
  • Security controls should be determined by a risk assessment
  • Risk assessments should be focused on assets
  • Risk assessment prevents you spending too much money on security
  • Risk assessment encourages enterprises to implement security
  • We should aspire to build a “risk culture” across our enterprises

The first of these myths,”risk assessment is objective and repeatable”, is simply not so, according to the post: assessments are made (generally speaking) by people who are using incomplete data. These people have varying knowledge and opinions. If all assessments seem to be coming back with the same results, Lacey suggests you investigate further. Another myth is that “risk assessment prevents you from spending too much money on security.” This, too, is not correct: Not in practice. Aside from one or two areas in the military field where ridiculous amounts of money were spent on unnecessary high end solutions (and they always followed a risk assessment), I’ve never encountered an information system that had too much security. In fact the only area I’ve seen excessive spending on security is on the risk assessment itself. Good security professionals have a natural instinct on where to spend the money. Non-professionals lack the knowledge to conduct an effective risk assessment. The final myth Lacey addresses is that organizations should aspire to build a “risk culture.”He sees this as a dangerous move, as it puts the whole organization on edge and potentially freezes them when it comes to taking any risky but rewarding action. Taking risks within safe limits is a healthy and productive way of moving an organization forward, but drawing so much focus on risk can ultimately doom a company.

About Matthew Kabik

Matthew Kabik is the former Editor of Computer Aid's Accelerating IT Success. He worked at Computer Aid, Inc. from 2008 to 2014 in the Harrisburg offices, where he was a copywriter, swordsman, social media consultant, and trainer before moving into editorial.

Check Also

The Seven Activities of Project Closeout

People go crazy when a TV show like Firefly or Agent Carter gets canceled, because …

Leave a Reply

Your email address will not be published. Required fields are marked *