Archive for February, 2018

Writing a good risk statement

I often review documents describing risks that fail to either make an impression as to the seriousness of the risks or fail to explain the cause and impact of those risks, both results leading to a less well informed risk decision by a non-specialist executive.

It is vital when stating a risk to be clear in communicating the various characteristics and components of the risk without assuming previous knowledge on the part of the reader. Here is the guidance that I often offer as part of my feedback.


Don’t over think cyber risk

I have been overthinking cyber risk. I’ve been trying to build a reliable model that I could rely on to mechanism my risk assessments. I’ll continue to refine my ideas because I enjoy the intellectual challenge. However, I am of the opinion that until we have the cybersecurity equivalent of Fischer Black, we need to accept the inherent inaccuracy of cyber risk modelling and use it to support quick decision-making rather than build grand unifying frameworks that ultimately only serve to mislead us further. It’s vital to start scouring the vast quantities of data we create for feedback on our decisions rather than try to base them on a level of knowledge that is not achievable.

At this point in state of the art, cybersecurity risks may be too hard to model reliably due to many factors. That is not to say that cyber risk assessment shouldn’t happen, as Jack Jones says “You can’t avoid measurement“, but the limitations of cyber risk management should be recognised, and any strategic response to cyber risk should account for that.

Twitter RSS