A number of years ago when writing my masters thesis I had the great pleasure of meeting the author of this book (Dylan Evans) and got some fantastic insights into how he viewed risk. At the time he was in the middle of writing this book but after I finished my thesis and went back to the focusing on the day job, I somehow managed to completely forget that the book was being written.
However, during one of my random walks around the bookshop before Christmas, I accidentally stumbled upon it and picked it up immediately as I knew it was going to be interesting. And I can safely say it didn't disappoint.
Working in information security you're surrounded by the concept of risk. Every day you make judgement calls on the risk of particular scenarios and advise as on controls to help manage these risks.
However, have you ever asked yourself how sure you are of these decisions? How sure are you about the likelihood of this threat occurring and that it will actually have that level of impact? If you haven't then skip the rest of this review and just go out and buy this book!
If you have thought about this, then you'll know that ultimately, when we evaluate risks, we estimate. Yes, we try and use any existing data that we have but ultimately we need to estimate based on our experience and judgement.
Why? Well, there are many reasons for this but here's a few; we don't have enough data, historical data isn't a predictor of future security events and ultimately we can't predict the future with certainty.
By the way, if by chance you can predict the future with absolute certainty, then give me a ring and we'll do the lottery this Saturday!
So if we are providing estimates every day, how good are we are at making those estimations?
That's exactly the topic of the book Risk Intelligence. While there are many interpretations of the term risk intelligence, Evans defines risk intelligence as the ability to estimate probabilities accurately. It's about gaining a better insight into our own inherent over or under confidence, along with gaining an understanding of the natural biases that we all are subject to and then consciously forcing ourselves to try and counteract these in order to improve our ability to estimate risk.
I first came across this concept three years ago when investigating quantitative approaches to optimising information security investment for my master thesis through the books Risk Analysis by David Vose and How to Measure Anything by Doug Hubbard. However, both only touch quickly on the topic and I was always interested in reading a more detailed discussion on the topic. By the way, if you haven't read any of Doug Hubbard's books, put them on your reading list too!
This book is an effortlessly easy read and covers the many challenges to making more accurate estimates along with examples of how to identify these challenges and reduce their influence.
These challenges cover topics such as over and under confidence, accuracy vs. precision, biases such as availability, source credibility and confirmation, organisational culture, interpretation of statistics, black swans and many more.
What I particularly liked about the book is that each concept is linked back to an easy to understand example or anecdote, making the book far more accessible than your average risk textbook.
Additionally, Evans' company ProjectionPoint has a free online test that allows you to evaluate your own risk intelligence through a quick test and I found this a really practical way to illustrate the point and gain a better insight into your own current state of risk intelligence.The book also contains data on the results of previous exam takers so you can baseline your level against others.
If you work in any kind of risk management, or even if you would just like to better understand how good (or bad) decisions can be made in your everyday life, I'd highly recommend reading this book.
Links:
Amazon http://www.amazon.co.uk/Risk-Intelligence-How-Live-Uncertainty/dp/1451610904
No comments:
Post a Comment