Lately I've been pondering the thought that 'risk' is 'uncertainty' - it's not simply that risky decisions and activities involve some element of doubt, that they might work out extremely well or go horribly wrong, but that the lack of certainty is itself a critical factor. As well as the rational mathematical basis in probability theory and statistics , there is also an emotional aspect to uncertainty. It affects the way we perceive, prepare for and address issues. It affects our planning and capability. It can be debilitating, resulting in indecision and delay even though that may make things even worse: sometimes, it is better to make a decision now (despite the uncertainties) and press ahead in the belief that we will cope with whatever eventuates. Conversely, it may be better to delay a decision and hold back while gathering more information, building resources, preparing and aligning those involved, and considering various eventualities. Uncertainty ha...

Someone who is actively involved in, or is managing, an activity is patently not independent of it. They may well make a conscious, rational and determined effort to be objective, dispassionately reviewing evidence etc ., but their subconscious/emotional biases/prejudices and beliefs/value-systems will inevitably influence what they do. With the best will in the world, they will struggle to challenge and assess their past decisions and activities, especially if they were "certain" or "determined" or genuinely believed they were "doing the right thing". Furthermore, it is very hard for anyone to review the things they did not do, decisions they did not make or options they did not even consider. Mostly, they remain out of sight or out of the question.

Title: Cognitive Hack - The New Battleground in Cybersecurity... The Human Mind Author: James Bone Part of the Internal Audit  and IT Audit series edited by Dan Swanson Publisher: CRC Press/Auerbach (2017) ISBN: 978-1-4987-4981-7 Price: US $100 ( hardback ) US $53 ( paperback ) GH rating: 50% Summary The author's core thesis is that we are expecting IT users and managers to make rational, risk-averse decisions and take appropriate actions in response to complex threats. The 'cognitive load' is such that people are bound to make mistakes. Therefore we  should be simplifying things ( e.g. by automating cybersecurity controls), thereby reducing the number of choices and hence taxing decisions we're asking people to make.

According to a vendor's promotional video interview I saw recently, the 'cybersecurity compliance burden' has allegedly become so significant that [customer] organisations are eagerly buying [their] software tools and services to help them manage and fulfil their obligations. The vendor's argument goes that, instead of accumulating a ragtag bunch of policies and other controls relating to user Identification and Authentication (I&A), for instance, it makes sense to:  Identify all the cybersecurity-related laws, regulations and standards that apply to the organisation; Examine them for any security control requirements relating to, say, I&A; Rationalise the I&A controls down to the smallest set that satisfies all the requirements - the lowest common denominator; Design, implement, use, manage and maintain those I&A controls; Have the I&A controls checked or audited to gain assurance that the compliance requirements are met.  OK so far? Sounds reasonab...