Talking about risk is just talking about a possible chain of events that in a certain point (or points) hurts us. The hurting point is the impact, the loss with its probability coming from the attributes of the links of the chain. If we assessed those possible chains and we found it reasonable, we can still decide to block preceding links from the path to mitigate the risk.
The risk decision pattern
Just ask a security professional about the essence of the profession of hers or open a book about the basics of security, I guess with no doubt it will start somewhere around the explanation of risk and the need of risk management. It is obvious for anyone, who works in this sector, security is about risks. An event may happen in the future with some certainty and will cause unwanted impact; yes this is the definition of risk and this is something to deal with in the domain of security. The only question then, why is it that hard to find an efficiently working risk management and why can we hear so much complains from the experts about the lack of risk awareness in the management? Especially if we consider the importance of security. That security that is build around the risk.
One of the reasons why the risks are neglected (at least more than we’d like to see it) is perhaps because of those financial decisions where they are left out.
How do I mean and how should risks and risk decisions be approached then?
Upbeat
As an architect I’d like to dedicate this page to some technical and no so technical writings mainly from the fields of information technologies and security. My plan is to share some patterns, practices, tools and ideas to reuse. Some of those are just for structuring the common knowledge in a way that helped me, some of those are my thoughts might worth to consider.
Hope that this collection might help for others as well.
Enjoy,
Levente Simon