Heard Bruce Schneier speak in the Kohn Lecture last evening at the 92nd Street Y.
Schneier’s five steps to security analysis make sense to me and I enjoyed his examples. The five steps:
1. What assets are you trying to protect?
2. What are the risks to those assets?
3. How well does the secuirty solution mitigate the risks?
4. What other risks does the security solution cause?
5. What costs and trade-offs does the security solution impose?
He was wonderfully clear about the trade-offs in security, but a bit blurry on threat and risk at times despite his efforts to avoid conflating the two. Nonetheless, I was a bit disappointed by the rigor in the discussion. I suppose I’m lamenting the substitution of the political for the technical in the lecture though Schneier was quite clear that he’s not running for office. I’ve not yet had the chance to read the entirety of the book, Beyond Fear, in which from what I’ve already read he’s clearly more technical.
Still, Schneier is not addressing risk as conceptually nor as thoroughly as Peter L. Bernstein does in Against the Gods, The Remarkable Story of Risk which takes a historic, mathematical and conceptual view of risk, ultimately discussing risk in modern financial market terms. While not directly on point to Schneier’s discussion in terms of security, nor operational risk as I conceive of it from my time in the field in EMS, Bernstein’s historical, mathematical and conceptual discussion would enrich strategic planning in the entire emergency management field.