Flushing Away Preconceptions of Risk

Explore the often misunderstood concept of risk in business and security programs through this 36-minute conference talk from the 44CON Information Security Conference. Delve into three key areas of the risk conundrum, uncovering the elusive art of understanding and measuring risk. Learn why risk is an inherent and valuable part of any organization, challenging the common misconception that it should be eliminated entirely. Discover the problems with ordinal numbers in risk assessment, the impact of "Black Swan" events, and lessons from casino operations. Examine historical examples, myths, and real-world scenarios that illustrate risk interpretation and treatment. Gain insights into causation vs. correlation, incident management, and effective risk response strategies. Walk away with practical takeaways to recognize risk patterns, understand the difference between various risk concepts, and realize that risk mitigation is an ongoing process rather than a final state.

Introduction
Disclaimer
Interpretation of Risk
Measuring Risk
The Problem with Ordinal Numbers
The Black Swan
Casinos
Treatment of Risk
History
Myth
Pacific Island
Laptop Lock Leads
Encryption
Causation vs Correlation
How do we respond
Table stakes
Incident management
Takeaways
Recognize the difference
Spot patterns
Risk hasnt been mitigated