Risk and Responsibility
It came as news to me that there is a UK Risk and Regulation Advisory Council (RRAC). It has been considering how distorted perceptions of risk can encourage poor policy-making and unnecessary laws.
The RRAC's report on Response with Responsibility Policy-Making for Public Risk in the 21st Century includes some useful discussion and ideas on the perception of risk. I think there are many parallels with information security risk such as the un-necessary spreading of Fear, Uncertainty and Doubt and risk perception & risk-reduction behaviour in The Psychology of Security.
Information privacy and security professionals would do well to read the case study on "Tree Safety – The Role of the Risk Actor" on page 15 of the RRAC report which discussed a proposal for tree safety management and a lack of participtaion during the consultation stages except for arboriculturalists ("tree consultants").
...the draft specified at least one professional arboriculturalist's inspection every five years – for all trees. This would replace the uncertainty of legal liability with a certainty of cost...
The privacy and security industry need to make sure, we don't blindly recommend the ALARP principle (As Low As is Reasonably Practical), or be seen as promoting our own vested interests, whether by being a product vendor or provider of consultancy services. Yes, risks should be kept as low as reasonably practicable, but they need to be considered in the context of the individuals, the business and society.
Posted on: 17 July 2009 at 10:48 hrs
Comments are filtered automatically and should appear shortly after they been checked.