Removing The Ambiguity Surrounding Risk Ownership

“Dan Geer recalled listening to a bank presentation on the company’s risk calculations, in which an executive expressed full faith in his figures. He knew they were accurate, the man said, there was no ambiguity about who ‘owned’ each risk, from which priorities were determined.

“In our field, there’s almost nothing but ambiguity about who owns what risk,” Geer told an audience at last week’s Usenix Security Symposium. Assigning risk ownership and determining risk values are paramount to the industry’s future, he cautioned. ‘If we do not measure it, it simple will be assigned by legislative fiat.’”