Book Review: Risk
March 11th, 2002 by jiri
Note Jan 2007: I found a review of John Adams’ Risk in my ‘drawer’. I’ve just took it and posted backdated.
It may sounds either groundbreaking. It may sound obvious, but risks are not only of a security kind.
Decisions around road safety or environmental are risk decisions too and in fact are part of the disciplines that are much older that IT security. Wouldn’t it be useful to learn and apply useful lessons from elsewhere?
John Adams is a statistician and lecturer at University College London and a prominent writer of the social school of risk. I have read his book more than 2 years ago and I would say that if you are interested in “why” of security, instead of how, this is a must read. An enhanced extract from the book follows.
You are evaluating risks and rewards of each activity in your life. This is your personal risk management and you are, by large, the only person judging both sides. In corporate setup, however, there are different people rewarded for taking risks (business managers) and different people rewarded for reducing risks (risk or security managers).
Risk management is essentially a guesswork. If we knew with certainty, we wouldn’t deal with risks but realities. An important point Adams makes is that our guesses are strongly influenced by our beliefs. Behaviour is influenced by beliefs too and in particular twist of reality, our selective processing of experience cause by our behaviour often tends to reinforce their beliefs.
Business managers (at least some of them) believe in risk taking and their compensation supports their risk taking belief. No risk - no gain. On the other hand security specialist (and engineers in general) believe in risk reduction - they are in most cases risk averse. These are IMHO seeds of disconnect between security specialists whinging about how rubbish security is and business managers happily living with however bad security is.
Safety interventions that do not alter people’s propensity to take risks do not work. Such interventions only redistribute the burden of risk, do not reduce it.
One of the best reads of 2002. Highly recommended to anyone in IT security field.