Another perspective on risk management that I’ve found useful is to recognize that risk issues are “open- ended” in nature rather than “well-structured”. Well-structured problems can be reasoned to a single correct answer – e.g., 3+3=6, or “Will I overdraw my bank account if I write this check?” Open- ended problems, on the other hand, are those that can’t be reasoned to a single, undisputed correct answer.
Examples of open-ended problems include:
• What’s the right solution for peace in the Middle East?
• What’s the best financial investme nt or insurance plan?
• Should I step on the accelerator or the brake at this yellow traffic signal?
Most of the information security/risk problems we face are open-ended – in other words,
there are very few clear, undisputed correct answers. Examples of open-ended questions we’re forced to deal with include:
• What is the best solution for this risk issue?
• Is this amount of risk acceptable?
• Which is the highest priority of our many security issues?
Because these issues defy simple, indisputable answers, and because each of our circumstances will vary, we’re forced to apply critical thinking skills. This, of course, flies in the face of prescriptive standards and “best practices” that try to portray the risk landscape as blackand white (well- structured) when it’s clearly shades of grey (open-ended). To be fair (no pun intended), non-prescriptive standards and “best practices” play an important role as directional references -- compasses so-to-speak. But even a really good compass can’t always account for the unique circumstances we encounter.
As I see it, any grade school graduate can recite a standard or compare a checklist against what they see in front of them. Whether we realize it ornot and whether we like it or not, we have to prioritize, make decisions, and defend/explain our rationale within a complex open-ended environment. Sometimes a specific best practice or standard will be the most cost-effective solution for a given circumstance; sometimes it won’t. The important thing is being able to recognize the difference. That’s where critical thinking comes in, and that’s where we as professionals — and FAIR as a framework for critical thinking — provide exceptional value.