Risk calculation

[unixronin]

bruce_schneier posts a revealing excerpt from the ANSI Cyberrisk Calculation Guide.

Here's the sentence from the ANSI Guide that leapt out at me:

If risk can be transferred to other organizations, that part of the risk can be subtracted from the net financial risk.

I don't know about you, but to me, that sounds disturbingly like "If a risk can be made into somebody else's problem, then screw it, it's no longer OUR problem."  Which is exactly the kind of thinking that got us into the current economic mess.

Comments

[meglimir.livejournal.com]

well, yeah, basic risk management, and a big part of why any contract negotiation has a lot of focus on "fixed price" vs "time & materials"

difficulty for some people seems to be in remembering whether you're transferring the risk to somebody else entirely or to another part of your own body as it were!

[unixronin.livejournal.com]

I guess the point I had in mind was that in a society that wasn't based on "Screw you, jack, I've got mine", it'd be rational to approach things from the direction of "Can we eliminate this risk? Can we minimize it? What can we do to mitigate it? What precautions can we take against it?" instead of "OK, whose lap can we drop this into so that somebody else gets shafted instead of us if it blows up?"

[meglimir.livejournal.com]

you're right ... i don't think being rational is usually done tho :(