Coursera Spring Sale
40% Off Coursera Plus Annual!
Grab it
Explore a critical examination of risk management's privileged position in cybersecurity through this 21-minute conference talk from USENIX Security '25. Challenge the conventional wisdom that treats risk management as an axiomatic truth by examining whether quantifying likelihood and impact actually leads to effective hazard reduction. Investigate the proliferation of over 200 risk management standards and question which ones truly work and what effectiveness even means in this context. Analyze the paradox highlighted by authorities like NASA who simultaneously acknowledge "vigorous debate" over risk management approaches while asserting their critical importance to program success and affordability. Discover how standardizing answers to "impossible to answer questions" like acceptable phishing test failure rates can reduce costs, while recognizing that forcing individual company determinations often results in half being over-permissive and half being too strict due to normal distribution patterns. Learn to acknowledge that risk framing may create more problems than it solves and consider reallocating energy from traditional risk management to more productive security work. Examine risk management techniques as objects of study, evaluating their accuracy, precision, cost-effectiveness, and decision sensitivity while exploring alternative properties that influence security decisions, including implementation costs and responsibility distribution.
