In his Survey of current thinking, Malcolm Sparrow talks about how various public and private organizations are beginning to respond to threats in a more domain specific manner instead of following general regulatory dictates - for example in crime problems, or environmental issues, occupational hazards, or patterns of drug-smuggling.
"What’s odd, when you look at this new pattern of behavior, is that there does not seem to be a well-established language for it. Different professions have quite different vocabularies. In the police profession it’s called “problem-oriented policing.”
I don't know why this seems odd to a university researcher whose past research has focused on regulatory practice - since regulatory compliance is responsible to a large degree for mindless risk management.
Why?
Compliance regulations provide general guidelines and checklists of risk controls companies must do. In the case of Sarbox, a general statement (404) has required interpretations which developed into a $100BN franchise for accounting firms and technology companies. When you use a big regulatory stick with an organization you send a message that improving risk understanding is a non-value-added activity since the business objective is compliance and not understanding root causes of why senior executives steal.
However all is not lost.
An excellent methodology exists for understanding the root cause of risk. The methodology is called threat modeling. Threat modeling is a mature methodology with implementations from Microsoft and groups like PTA (Practical Threat Analysis) Technologies.
In threat modeling exercises - analysts and business decision makers use a model of assets, vulnerabilities of assets, threats (that attack by exploiting vulnerabilities) and countermeasures (that mitigate threats). The beauty of threat modeling is that it is a common language that any person working in an organization can understand.
You can download the free risk assessment tool PTA Professional - we'd be happy to hear if you also think that threat modeling is a useful tool for risk assessment.
