Following on from my Effective Security Means Doing More with Less Risk post we need to consider how to deal with risk.
The options are quite simple.
- Ignore it and hope the bad thing won't happen.
- Accept it as being manageable.
- Take steps to mitigate it thereby reducing the risk to a manageable level
Before you can do any of the above you have to define your boundaries, resources and allowable information flows, be aware of the current threat landscape and measure your level of risk.
Making risk decisions is a normal part of doing business and in fact living life too. Many such decisions we make without concious thought.
Security related risk decisions should be treated in the same manner.
Each of us may have a different risk comfort level based on our own unique view on life. The same is true of each organisation. A startup company can easily re-invent itself if it's brand is tarnished due to a security or privacy compromise. A large corporate (or charity) with an established brand is likely to go to great lengths to protect itself. It takes time to develop oneself as a trustworthy entity in the physical world and generally speaking this is true in the logical sense too. It only takes moments to loose credibility.