George Hulme in an article for Network World compiles from leading experts the seven common mistakes organizations make with risk management.
- Starting from scratch. There are actually well-established methods for risk-analysis that can be and should be used.
- Replicating the audit department. Experts point out that audit doesn’t necessarily concern itself with threat and reporting the total picture of risk. These are the jobs of security risk management.
- Conflating precision with accuracy. To provide actionable information, precise numbers are not always necessary.
- Overemphasizing the risk register. Experts recommend moving to an exposure register which is more likely to reflect real-world risks and helps organizations mitigate.
- Using undefined risk concepts. Do not use undefined concepts of ranking such as low, medium or high. Define the rankings so that all are on the same page.
- Not having a risk intelligence program. IT security risk can be broken down to four sets of information – threats, controls, assets and impact. Monitoring for changes that could affect their risk for all four is important.
- Multiplying ordinals. Ordinal scales simply define the rank or order of the values not the quantities represented by those values.