Shostack + Friends Blog

Stop Trying to Manage Risk!

Risk doesn’t do what we hope. We need to talk.

Stop Trying To Manage Risk! That’s the title of my keynote for OWASP Global Appsec in Washington DC on Friday. And if you’re saying “WTF,” well, good. That’s the goal: to make you stop and think.

People hope risk management will solve all their cyber problems. Those people include executives and engineers. But the reality is, it doesn’t, and it doesn’t in what’s frankly a spectacular failure. It’s so spectacular that we hate to talk about it because that violates those hopes.

What’s more:

“Risk” is also treated as an unquestionable axiom in cybersecurity
“Risk” does not solve all our problems
This leads to cognitive dissonance ... and needless fights

If you find my lack of faith ... disturbing, well, show up Friday morning, ideally with an open mind.

Originally published by Adam on 05 Nov 2025
Categories: security

Our Favorite Content

General threat modeling posts

The Security Principles of Saltzer and Schroeder, illustrated with Star Wars

Subscribe (RSS/Mail)

RSS/ATOM: The RSS feed is here. We recommend RSS as the best way to follow this blog, and think generally RSS is the best way to take control of the information you take in. You can read our thinking here.

Email: If you’d like a lower volume set of updates on what Adam is doing, Adam’s New Thing gets only a few messages a year, guaranteed. We include a subset of posts in each.