We (many of us...) in the infosec profession have a deeply disfunctional relationship with risk. Here is one of the shining examples why (quoting from this dailydave post, accenting is mine)
'One of the panelists began talking about defining "Acceptable Risk Levels" within organizations. (These were CIO's, CTO's, CSO's etc for multi billion/million dollar companies.) When I heard these people speaking I realized that they never got into anything specific.
Instead it was as if they were just talking about ideas that they briefly read about in magazines or online articles. So I decided to ask them something specific.
My first question to them was "In order to properly understand your acceptable risk level you must first understand the threats faced by your business, correct?" They all nodded in agreement. My second question to them was "Where do you get your threat intelligence?"'
As reported, it all was downhill from there ... :-) Read on