Just ask a security professional about the essence of the profession of hers or open a book about the basics of security, I guess with no doubt it will start somewhere around the explanation of risk and the need of risk management. It is obvious for anyone, who works in this sector, security is about risks. An event may happen in the future with some certainty and will cause unwanted impact; yes this is the definition of risk and this is something to deal with in the domain of security. The only question then, why is it that hard to find an efficiently working risk management and why can we hear so much complains from the experts about the lack of risk awareness in the management? Especially if we consider the importance of security. That security that is build around the risk.
One of the reasons why the risks are neglected (at least more than we’d like to see it) is perhaps because of those financial decisions where they are left out.
How do I mean and how should risks and risk decisions be approached then?