Some food for thought from this years RSA Conference is that “too much thinking can impair your judgement.” That is the message of Malcolm Gladwell who says
We expect those with expertise to give us chapter-and-verse reasons for making that decision. We need to be comfortable with the inherent uncertainty of expertise
This is true, particular when it comes to the task of assessing risk. I’ve often advocated that risk calculations need to have an additional variable: some x factor based on nothing more than the intuition and experience of the person performing the assessment.
There is often ambiguity and uncertainly around risk in information security. So, intuition counts for a lot.