This paper considers Donn Parker’s various arguments against risk analysis playing a role in information security management. I consider one by one Parker’s various reasons in support of his proposal, namely, that diligence-based methods should replace risk-based information security. I show that Parker’s proposal is based upon a false dichotomy and that his various arguments have no force whatsoever. I conclude that Parker has not succeeded in showing that diligence-based information security should replace risk-based approaches.

LINK

How to Define “Connected Systems” to the PCI Cardholder Data Environment (CDE) →

← Jens Laundrup, CISSP, HISP, Board Member – Secretary, ISSA