Risk-based security? Hogwash!
Nothing gets my goat as badly as “risk-based security” talk that is suffocating discussions lately. It is so pervasive and so obnoxiously delivered that you end up wondering if the authors of the term even know how poorly they understand information security, risk management, and the organisation they support. Dunning-Kruger effect in action if there ever was one.
Decisions, decisions To explain what I mean, let’s look at it from top down:
1. Everything starts with objectives. The things you want to achieve, stuff you want to do.