Risk Is Not a Hammer, and Most Hazards Aren't Nails

"Risk management" has been given a privileged position in security, that of an axiomatic truth. It doesn't deserve it. Even if we could quantify likelihood or impact, it's not clear that risk management estimation or communication are effective ways to reduce either. More, there are more than 200 risk management standards. Which ones work, and what does that even mean? Respected authorities like NASA write things like: "While there will probably always be vigorous debate over the details of what comprises the best approach to managing risk, few will disagree that effective risk management is critical to program and project success and affordability." If there's vigorous debate, to what are we agreeing? Does it achieve the goal of affordability? We can decrease the cost of risk approaches by standardizing answers to "impossible to answer questions" such as "what's an acceptable rate of phishing test failure?" The answers are not made better by requiring every company to determine their own: if the results fit a normal curve, almost half will be over-permissive while the other half are too strict.

A first step is to acknowledge that risk framing is creating more problems than it solves. Most of us can either stop spending energy on risk management, or spend less, freeing that energy for useful work. We can treat specified risk management techniques as objects of study, looking to properties like accuracy, precision and cost, as well as sensitivity of decisions. We can look for other properties that influence decisions (cost to address, and who bears the cost).