4 Comments
User's avatar
Saed's avatar

What a pleasant read, massive crossovers over here in cyber, I really enjoyed how you articulated the fact that risk is actually subjective and how really all it boils down to is the organisations best judgement! Recommend this one!

Mahir Chowdhury's avatar

Glad you enjoyed it Saed, I would disagree with your subjective point RE risk. For e.g. an unpatched server (the risk) is objectively vulnerable, the subjective part will come into your risk response. Two different organisations may see the same risk and respond completely different based on their appetite, constraints, priorities and regulatory pressure. Happy to take this offline!

Saed's avatar

Great point, I think we’re probably closer in view than my original comment suggested. The vulnerability itself may absolutely be objective to your example about the unpatched server, but the risk still seems inseparable from informed judgement around likelihood, impact, tolerance, and context.

Two organisations can look at the exact same exposure and arrive at entirely different conclusions on materiality or urgency, which is why risk acceptance is such an interesting area. At some point, someone’s name and accountability sits behind the decision to tolerate it, transfer it, mitigate it, or accept it. That human and organisational judgement piece is what I was getting at.

Really enjoyed the article and the discussion and I’m definitely ready to circle back on this offline as there’s a lot of nuance in it

Mahir Chowdhury's avatar

Feels like we are converging on the same core idea from slightly different angles. I think the distinction that’s emerging is that vulnerability is objective, but response is contextual.

Also your point on accountability is key, at the end of the day, risk decisions aren’t abstract, they’re owned. That’s what makes risk acceptance such a nuanced (and sometimes uncomfortable) space.