Re: Risks and standards development in networking and Blackberrys/Mobility

[Valdis Kletnieks <Valdis.Kletnieks () VT EDU>]

On Tue, 18 Oct 2005 18:19:08 EDT, James H Moore said:

> Our first task is to do risk mapping, identifying risks and then
> prioritizing them.  We have to identify all risks, including risks of
> lost productivity if certain features are not present.

What's the risk value of failing to identify a risk?

Karger and Schell identified a specific risk in their 1974 pen-test
paper on Multics.  Ken Thompson then improved on it, and gave his
Turing Award lecture 'On Trusting Trust' on it.

http://www.acm.org/classics/sep95/

Is that on your list? Should it be?

How about "trusted sysadmin goes around the bend and does <insert worst case
scenario here> to systems before he's tracked down, but the SWAT team nails him
before you get a list of what he did" (keeping in mind that there may not be
a trustable backup to restore from, if he went around the bend a while ago)?

How about "Board of Trustees passes resolution banning the University from
doing business with convicted monopolists"?

I could list some *really* off-the-wall risks, but everybody knows I'm a raving
member of the Tinfoil Helmet Brigade and never takes me seriously.. ;)

Bottom line: you can't identify *all* the risks.  The best you can do is
identify as many as you can within the time and budget available....

Attachment: _bin
Description: