I find it surprising that after more than 30 years of experimentation of risk assessment, many security practitioners continue to apply risk assessment in such a non-intuitive way. There seem to be some rather widespread misconceptions about the nature of the process. I cringe when I hear experienced professionals suggest that risk assessments must be objective and repeatable. Where on earth did they get that impression? Were they taught this on a course? Or did they read it in a standards document? It's not something that occurs in practice.
This has prompted me to try to debunk some of the myths of risk assessment. Hopefully, by speaking out, I might encourage future practitioners to approach the subject with a more critical eye, rather than merely copying the flawed practices of previous generations. So here is my attempt at nailing six common myths of risk assessment.
Hiç yorum yok:
Yorum Gönder