When it comes to risk management, I believe one of our biggest vulnerabilities is our ability to make good risk decisions based on the information available to us.
Our decisions are often inconsistent, subjective, mypic, and sometimes ignore the obvious. Why? Human nature.
A particular interest of mine is finding repeatable methods to become more effective at evaluating, articulating, and responding to information security risk.
As a result, I read an awful lot of stuff about risk and how it’s managed in other, non-IT disciplines, and look for models and constructs that can be re-used.
I’d like to share some thought-provoking observations with you today.