Abstract
Risk management is widely seen as the basis for cybersecurity in contemporary organizations, but practitioners continue to dispute its value. This article analyzes debate over computer security risk management in the 1970s and 1980s United States, using this debate to enhance our understanding of the value of computer security metrics more generally. Regulators placed a high value on risk analysis and measurement because of their association with objectivity, control, and efficiency. However, practitioners disputed the value of risk analysis, questioning the final measurement of risk. The author argues that computer security risk management was most valuable not because it provided an accurate measure of risk, but because the process of accounting for risks could contribute to organizational learning. Unfortunately, however, organizations were sorely tempted to go through the motions of risk management without engaging in the more difficult process of learning.
Sign-in/Register to access full text options 
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a callDisclaimer: All third-party content on this website/platform is and will remain the property of their respective owners and is provided on "as is" basis without any warranties, express or implied. Use of third-party content does not indicate any affiliation, sponsorship with or endorsement by them. Any references to third-party content is to identify the corresponding services and shall be considered fair use under The CopyrightLaw.
