In a recent academic article in Security Journal, William Harris and Moufida Sadok delve into the topic, "How do professionals assess security risks in practice?". The results, though anticipated by proponents of a risk-based approach to security, are alarming. It raises the question: Given the extensive academic literature supporting a risk-based approach to security, why don't security professionals consistently adopt it?
Their report highlights that the Security Risk Assessment is a multifaceted field, encompassing various standards and frameworks. However, its practical implementation in organisations could be more consistent. The landscape of this domain is marred by ambiguities in basic terminology, leading to potential inconsistencies in practice. Many security professionals lean heavily on intuition and prior experiences rather than universally accepted standards.
Such inconsistencies in defining risk can have real-world consequences. Without a rigorous risk assessment, organisations may face reputational damage, legal complications, and financial losses. Risk assessment aids in setting priorities to address threats effectively. While HB 167:2006 is a popular framework, only some definitions or approaches dominate the field.
Crucially, the perception of risks varies based on social, cultural, and political lenses. While expertise and judgement remain invaluable, a standardised approach, grounded in universally accepted terminology, is imperative. ISO 31000, for instance, could serve as a foundation for such standardisation.
Three major themes emerge from this discourse:
The essence is clear: while individual expertise should not be discounted, the field demands more clarity. Standardised terminology, as suggested by ISO 31000, could bridge communication gaps and uplift the quality of security risk assessment practices.
To read the full article, visit https://link.springer.com/article/10.1057/s41284-023-00389-y.