It could be argued that ‘management’ of all kinds (including information risk and security management) is or rather  should be a rational process, meaning that managers should systematically gather and evaluate information, take account of sound advice, make sensible decisions, put in place whatever is necessary to implement the decisions etc. , all the time acting in the organization's best interests, furthering its business objectives, strategies, policies etc. In practice, there are all manner of issues with that approach that complicate matters, frustrate things, and lead to ‘suboptimal’ situations that may be - or at least appear to be - irrational, inappropriate or unnecessary.   In particular, there are numerous paradoxes. For examples: The obvious core objective of a typical commercial company to make a substantial profit for its owners may conflict with various ethical and legal objectives to spend money on protecting and furthering the wider interests of society an...

'Reducing uncertainty' is the prime focus of  information risk management today. We do our level best to identify, characterise, quantify, evaluate and where possible reduce the probabilities and/or   adverse consequences of various possible events.   Uncertainty is an inherent part of the problems we typically face. We don't know exactly what might happen, nor how or when, and we aren't entirely sure about the consequences. We worry about factors both within and without our control, and about dependencies and complex interactions that frustrate our efforts to predict and control our fortunes. We adopt fallback and recovery arrangements, and apply contingency thinking with the intention of being better prepared and resourced for unanticipated situations ahead.     A random comment on LinkeDin set me thinking about the converse: 'reducing uncertainty' is the flip side of 'increasing certainty', in other words information risk management is equally about...