FAIR book co-author Jack Freund, PhD, recently spoke with the risk management team at a large retailer with a firm belief that “organizational apocalypse will occur if the website goes down.” A FAIR analyst on staff ran the numbers on the potential impact of a site outage – and found no apocalypse, just a manageable problem.
Jack's new blog post for ISACA, “Apocryphal Risk Management”, is a cautionary tale that “instead of placing money, time and people on problems that can truly cause damage to the organization, relying on these stories for prioritization results in enterprises chasing ghosts.
“This means that cyber risk management professionals have an ethical obligation to tell the truth,” Jack writes. But here’s where it gets complicated: These apocryphal stories have typically been promoted for years by senior managers in the risk management operation. So, the risk profession also “requires communicating the truth to those in power.”
Jack goes on to give advice on blending the three modes of persuasion – ethos, logos and pathos – to tell the truth of risk analysis. FAIR analysis is the best way to handle the logos (or logic and reasoning) side of the argument, but emotional intelligence is also required, and Jack presents some tactful ways to stop the spread of risk management by storytelling.
Read Apocryphal Risk Management in the @ISACA blog.
Read more by Jack Freund:
The ‘Risk Therapist’ on Your Team: When It’s Time for an Intervention
Organizational Signals for Changing Risk Appetite
Concept Creep: Why Cyber Risk Problems Never Get Solved
Become a FAIR Institute member - stay informed on the latest tips and techniques for advanced cyber risk management - attend Institute events – network and discuss with other FAIR fans. About 30% of the Fortune 1000 are represented in FAIR Institute membership. Join us!