Tuesday, 22 May 2012

It's all about risk

Risk is a good word that often used badly. I read a politicians comment today which said that nuclear power was "posing safety and environmental risks" which is a nonsense quote because risk is a measurement, not an absolute. It is fair enough to say the risk is "too great" or even something is a "bit risky" but to use the word risk unqualified is to show staggering ignorance when dealing with important topics.
A case relevant to computing. ico_fines_central_london_trust talks of an NHS trust who were faxing private patient data to the wrong fax recipient for 3 months before anyone did anything about it. Why, you all shout, were they not using email instead in this day and age? Well obviously if you send something over email, someone can intercept it in plain text and this would be bad - a risk - so we will allow a human to type a fax number and hope that it is correct instead.
With risk management, a more measured approach should have been taken. Is faxing risky? Yes, are telephone calls risky? Yes. Is email risky? Yes. But the amount of risk is what should dictate either that we pick the least risky method or that we need another option (such as paying for encrypted mail or whatever). My guess would be, when comparing email with fax, that fax is definitely much riskier. Email addresses are held in an address book and can be verified before use to ensure they do actually go to the correct person, we then accept the risk that some nation state may wish to hack an internet line somewhere and try and read our emails.
If we fail to actually measure risk using, even the simple metric of how likely x how serious then we will repeatedly make this childish mistakes with our systems. Let's start discussing risk when making decisions, let us start saying this is a risk level 8 proposition which needs mitigation or avoidance, let us stop playing like children who argue to make decisions and bring some clarity and objectivity to the situation.
Post a Comment