I really enjoyed watching the podcast version of a talk that Jack Jones gave at Purdue, “Shifting focus: Aligning security with risk management.”
I liked the opener, about what it’s like for executives to talk to security professionals, and the difference between what might happen and what’s likely to happen. The screenshot is from a discussion of how to play Russian Roulette.
I also like the way he critiqued best practices (you’ll have to watch). It’s a little hard for me to assess his risk management methodology from a podcast, but it’s a very worthwhile 45 minutes.
(Now only if he had some Kandinsky in there, I’d have no doubt that the Risk Management Insight Institute, which Jack heads, is part of what we call the “New School.”)
Adam,
Thanks for the kind post. Jack and I have -no- issues calling ourselves “New School” :)
We’ll probably be among your most vocal advocates.
His whitepaper “An Introduction to Factor Analysis of Information Risk (FAIR)” is standard reading on my team…great to see him speak, thanks for the post!
According to this book
http://www.amazon.co.uk/Reckoning-Risk-Learning-Live-Uncertainty/dp/0140297863
probabilities are best communicated using numbers (e.g. 15 out of 100 people in this situation will find …) because this avoid confusion over what the probability applies to.
It seems to me the problem at the start of the podcast is as much about communicating risk assessment as forming it in the first place.