Every one of us today is attempting to move from a less desirable state toward a more desirable one. We are goal directed whether those goals are ignoble or not matters little. The farmer, the criminal all seek after something more desirable. This is true of individual behaviour and corporate action. Along this path we face scarcity of resources and absolute limits on our time. Eventually we die. Because of the foregoing, we make daily trade offs in actions we take and don’t take and we approach our goals systematically. The fool and the wise both have a process.
So when a business fails to address any number of risks are they behaving irrationally? Any one with in depth knowledge in any field is tuned into the risks. The Bundesnachrichtendienst knows more about the threat of terrorism to Berlin, than I. The top security researchers know just how vulnerable our systems are to directed attack by a highly skilled person. Many security researchers carp endlessly that people “don’t get it”, that they are victims waiting to happen. As a generalization this is true, but I believe the behaviour is not irrational. The corporate result may appear irrational but the individual activity is not. Most people access risks based on some degree of its locality and recent occurrence, for example, if you discovered that several of your neighbors had been mugged you would grow more cautious. There have been sufficient numbers of viruses and exploits that most people have some degree of caution now. Inside corporations we have policies, practices, frameworks and protocols to address the threats but there always be residual risk.
When I found outstandingly bad practices inside a company, it used to be because of ignorance. This is not a slur; they didn’t know or understand. In the last five years it has become increasingly due to limited resources. I believe this is progress. The goal of security has always been to build reliable and dependable systems in the face of misadventure, malice, and error. I would add a secondary goal and that would be to accomplish a better result over time at a lower cost*.
You cannot address all risks so you have to divide them into those that can be measured statistically, and probabilities assigned and those whose statistical profile is not known, for example, a terrorist attack or an earthquake. For those with known probabilities and losses the approaches are well established. For those that occur infrequently with catastrophic consequences, the best we can do now is build resilient systems and set aside financial reserves. Time and experience aid us in addressing risk; we will never be fully protected, the purist and idealist in any field is a cynic in training; the discipline of disciplines is balance.
*This must be done even in the face of ossified regulatory burdens.