Transvasive Security

the human factor

SIRACon: Organization of Risk Management Programs

I spoke today (May 7, 2012) at SIRACon, the first ever conference of the Society of Information Risk Analysts. Here is the description I submitted for the talk – it is fairly close to the final product:

Effective, established Risk Management practices fall into two major categories: management of risk due to accidental damage (safety) and management of risk due to threats (protection). This talk will present the case that these are two distinct methodologies, and all information risk management should be divided into protection functions (like the Secret Service) and safety functions (like the Aviation Industry), staffed by different people if possible, due to the differences in approach, available data, threat behavior, and the cognitive biases of the risk analysts themselves.

I’ve uploaded copies of the talk to my site: Organizing Risk Management Programs, Or, What I learned from the Aviation Industry and the US Secret Service.

I really enjoyed the day’s talks, and appreciated all the different perspectives, they all help with our still-immature business of information risk analysis and information risk management.

I believe there will also be a video of my talk as well, I’ll post a link to that once it becomes available.