Jeff Williams emailed about yesterday's post on decoupling risk and uncertainty. He has been on this beat for awhile, read Jeff's paper on Measuring Security. Jeff makes an important point:
The problem with putting risk ahead of assurance is that you can’t make informed decisions in the face of too much uncertainty. You need to reduce the uncertainty until you can make a good risk decision – after that there’s no point.
I would still say that if we define risk as the permanent loss of assets, particularly of capital, we can get closer to some set of outcomes that we can handicap, at least good enough for enterprise security. One of the things I like about Jeff's paper is that he decouples the two concepts and identifies concrete actions to take in addressing both risk and uncertainty. In an ideal world they'd both be low, but we don't live in an ideal world so we have to figure how to make forward progress. I see infosec having more control (and expertise) in risk than uncertainty, but the real issue, as Jeff implies, is not to conflate the two.
Comments