|
Authors: Baskerville, R. Date: 1991 Title: “Risk Analysis as a Source of Professional Knowledge” Journal: Computers & Security, 10 (8) Pages: 749-764. |
|
control feasibility, information system controls, risk analysis, security ethics, security knowledge, statistical decision theory |
|
Most severe criticism of computer security risk analysis is founded on a single, positivist, philosophical viewpoint. From this viewpoint, the method lacks objective elementary data points, and its simple statistical decision model fails at least one major test of scientific methods. However, such a method might be scientifically valid as a source for professional knowledge when applied within more appropriate social philosophical frameworks. For example, risk analysis has been, from its earliest descriptions, suitable as an interpretive artifact. The practical implications of these concepts include the importance of experience for practitioners, the ease of misuse, and the danger to the method's validity of naive extensions or adjustments to the original simple method. The practitioner should also recognize the ethical issues raised by the method's communication channel. |