Gunnar has a good post about evolving risk. A small startup company has high business risk (easy to fail) and low security risk (not much to steal), while a big successful company has low business risk and high security risk. Pretending those different kinds of risk don’t change, or that they change in the same direction, leads to problems:
When the business reality is dynamic and the security model is static, then errors creep in.
Paul Madsen on Evolving Risk, Gunnar Peterson, 1 Raindrop, 20 Nov 2006
There are exceptions, of course, such as Anderson and Enron. Come to think of it, in both those cases, business risk was high because there wasn’t much solid content such as intellectual property or customers who would continue buying product once the big security risk of somebody finding out how the books had been finagled was breached. There was no sustained machine. The security risk was that someone might discover that.
For some reason I feel compelled to quote Gunnar’s last paragraph:
As usual the shades of gray in reality don’t map too well to black and white models. As John Quarterman shows: risk moves