I got asked a very important question today. The question related to a report I have written covering the risk status of various different products and situations. It’s a very detailed and indepth report making numerous observations, drawing a variety of conclusions and making recommendations. So, to the point and the question in question. It was “how important is this?”
I thought I’d made the answer to this question clear but I re-read the report and it got me thinking again about quantifying risk and also how my perspective on risk differs from the business perspective. There’s some further commentary on this subject and the executive perpsective on Kenneth Belva’s blog. But even this is not the full picture because the amount of risk that is acceptable will vary from business to business and from product to product. So, in one case there might be a willingness to spend thousands of pounds preventing an equivalent amount of risk while in another case the attitude to risk could be significantly different.
Kenneth draws attention to a Virtual Trust model and how security can add value. This is a really interesting paper and I recommend that you have a read if you’re interested in this subject.