This is cache of http://riskmanagementinsight.com/riskanalysis/?p=349. Cache is the snapshot of article that we took when we index feed.
To see original page click here.
We are not affiliated with the authors of this article and not responsible for its content.
Critical thinking
2008-04-21 14:42:28 by Alex in RiskAnalys.is
 

Another perspective on risk management that I’ve found useful is to recognize that risk issues are “open-ended” in nature rather than “well-structured”.  Well-structured problems can be reasoned to a single correct answer – e.g., 3+3=6, or “Will I overdraw my bank account if I write this check?”  Open-ended problems, on the other hand, are those that can’t be reasoned to a single, undisputed correct answer. Examples of open-ended problems include:

  • What’s the right solution for peace in the Middle East?
  • What’s the best financial investment or insurance plan?
  • Should I step on the accelerator or the brake at this yellow traffic signal?

Most of the information security/risk problems we face are open-ended – in other words, there are very few clear, undisputed correct answers.  Examples of open-ended questions we’re forced to deal with include:

  • What’s the best solution for this risk issue?
  • Is this amount of risk acceptable?
  • What is the highest priority of our many security issues?

Because these issues defy simple, indisputable answers, and because each of our circumstances will vary, we’re forced to apply critical thinking skills.  This, of course, flies in the face of prescriptive standards and “best practices” that try to portray the risk landscape as black and white (well-structured) when it’s clearly shades of grey (open-ended).  To be fair, non-prescriptive standards and “best practices” play an important role as directional references — compasses so-to-speak.  But even a really good compass can’t always account for the unique circumstances we encounter.

As I see it, any grade school graduate can recite a standard or compare a checklist against what they see in front of them.  Whether we realize it or not and whether we like it or not, we have to prioritize, make decisions, and defend/explain our rationale within a complex open-ended environment.  Sometimes a specific best practice or standard will be the most cost-effective solution for a given circumstance; sometimes it won’t.  The important thing is being able to recognize the difference.  That’s where critical thinking comes in, and that’s where we provide real value as professionals.

An interesting one-page matrix (in a Word document) that categorizes thought process maturity can be found here.  It’s worth a read.

 
Tags: single correct answer, critical, correct answer, solution, single, cost-effective solution, standards, yellow traffic signal, account
 
 
 
 
 
TOP SEARCH
Expand / MinimizeClose Widget
  •  
RECENT SEARCH
Expand / Minimize
  •  
RELATED VIDEO
Expand / Minimize
SecurityRatty FAQ
Sergey Zarubin, 31yo
CISSP, CCSP
Moscow, Russia