Evolving Risk

Gunnar has a good post about evolving risk. A small startup company has high business risk (easy to fail) and low security risk (not much to steal), while a big successful company has low business risk and high security risk. Pretending those different kinds of risk don’t change, or that they change in the same direction, leads to problems:

When the business reality is dynamic and the security model is static, then errors creep in.

Paul Madsen on Evolving Risk, Gunnar Peterson, 1 Raindrop, 20 Nov 2006

There are exceptions, of course, such as Anderson and Enron. Come to think of it, in both those cases, business risk was high because there wasn’t much solid content such as intellectual property or customers who would continue buying product once the big security risk of somebody finding out how the books had been finagled was breached. There was no sustained machine. The security risk was that someone might discover that.

For some reason I feel compelled to quote Gunnar’s last paragraph:

As usual the shades of gray in reality don’t map too well to black and white models. As John Quarterman shows: risk moves


1 thought on “Evolving Risk

  1. China Law Blog

    Get On The China Train, Hard Seat Notwithstanding

    Had a long conversation today with a longtime client on the pros and cons of doing business in China. His is relatively small, but very international company that is being pushed hard on prices by competitors that are much farther along in China than m…

Comments are closed.