Shostack + Friends Blog Archive


Jack Jones on Risk Management


I really enjoyed watching the podcast version of a talk that Jack Jones gave at Purdue, “Shifting focus: Aligning security with risk management.”

I liked the opener, about what it’s like for executives to talk to security professionals, and the difference between what might happen and what’s likely to happen [link to no longer works]. The screenshot is from a discussion of how to play Russian Roulette.

I also like the way he critiqued best practices (you’ll have to watch). It’s a little hard for me to assess his risk management methodology from a podcast, but it’s a very worthwhile 45 minutes.

(Now only if he had some Kandinsky in there, I’d have no doubt that the Risk Management Insight Institute, which Jack heads, is part of what we call the “New School.”)

3 comments on "Jack Jones on Risk Management"

  • alex says:

    Thanks for the kind post. Jack and I have -no- issues calling ourselves “New School” 🙂
    We’ll probably be among your most vocal advocates.

  • Michael says:

    His whitepaper “An Introduction to Factor Analysis of Information Risk (FAIR)” is standard reading on my team…great to see him speak, thanks for the post!

  • Antonomasia says:

    According to this book
    probabilities are best communicated using numbers (e.g. 15 out of 100 people in this situation will find …) because this avoid confusion over what the probability applies to.
    It seems to me the problem at the start of the podcast is as much about communicating risk assessment as forming it in the first place.

Comments are closed.