Topic 1: Risk Management Math

Risk management is all about getting the math right.

If there is one universal truth, it is that bad things can happen. With risk management, the only worry is getting the math wrong. Risk management is forecasting events based on mathematical models.

• If you are going to manage risks successfully, you have to make sure that your assumptions and quantifications are the same across all of your risks.
• Use more than one way of analyzing and quantifying risk events.
• Use past event occurrences as models for quantification.

The real risk to your project is not in the event that something bad happens; it is only in getting the math wrong. An example of a math example would include rating a risk for probably and impact to determine a quantifiable score for the risk.

Do you agree or disagree with this premise? Take a position on this approach to risk.

Topic 2: Risk Assessments

Is there a need for risk assessments?

You are asked to act as the security representative on a high-profile B2C e-commerce project. After examining the requirements provided by the project manager, you submit your recommendations for ensuring that the project is securely implemented. A few weeks later, you find yourself in several meetings in which your concerns are labeled paranoid, expensive, and unnecessary. As if things are not bad enough, the vice president overseeing the project requests justification for each of your recommendations.

You know intuitively that security problems will crop up if your recommendations are not followed, but you are now forced into a situation where you need hard facts to back up your gut feelings. How can you quickly and efficiently provide the justification the VP is requesting? What could you have done to avoid the situation altogether?