NoticeBored's new “Taking chances” awareness module is about identifying, assessing and dealing with information security risks and opportunities.
Whereas information security and risk management professionals, as a breed, are generally risk-averse, the awareness materials this month acknowledge pragmatically that there are legitimate business reasons to accept some information security risks, to take chances deliberately: the trick is to know which ones to live with, and which to avoid, pass to someone else or mitigate.
Animals deal with safety risks routinely at a subconscious level, avoiding extreme dangers instinctively, and learning to avoid other risks through teaching, by observing their parents and peers, or by trial-and-error: the ability to learn and so change our behavior is a vital survival skill. In a sense, organizations also have both instinctive and learned reactions to risks. This month’s awareness module passes-on decades of real-world experience with the management of information security risks.
Some cynical graybeard information security professionals feel that the methods commonly used to analyze risks are little better than chicken entrails at predicting the future. By explaining the elements of the risk management process, we demonstrate that rational analysis, prioritization, treatment and monitoring of information security risks does give us a bit of an edge over those entrails, and perhaps in our own small way we can help advance the profession a little. It’s not all hocus pocus!
"Taking chances" is our 120th monthly module, in other words we have successfully navigated our first decade in security awareness. We're still trying to decide how best to celebrate our tenth birthday so watch out for a news update once we sober up from the office party.
Happy Easter all!