Monday, September 27, 2010
Not using "Risk Management" doesn't mean "no decision making"
I found an old bookmark in my "to blog" folder related to a New School post from David Mortman, "Decision Making Not Analysis Paralysis". I am one of those with second thoughts about our risk management tools. If you're still confident that you can use risk assessments as base of security decisions, I suggest reading "The Drunkard's Walk", by Leonard Mlodinow.I cannot say that I'm 100% sure that risk management is useless. I just don't feel enough confidence that it gives us what we need during the decision making process. So, David is saying that executives usually have only a small fraction of the information about an issue when deciding. He also says "Personally, I like to have some data based rationale for how those decisions get made". The point here is that we, the risk management skepticals, are not arguing against decision making. We are arguing against the illusion of a "data based rationale". If you are deciding something over 10% of the overall data, that's not a lot more than a gut feeling decision. There's the even more negative aspect of believing the decision is fact based when it's just slightly more than guessing.So, let's not throw away the baby with the bath water. Decision making is crucial. What I expect is a method to do that better and without the illusion that it's a fact based rational decision. At this time I don't see risk management as that method.