The traditional risk management factors you are all taught include the staid process of categorizing potential threats and risks, evaluating their likelihood of occurrence, and estimating the damage that would result from them if not mitigated. The costs of the potential mitigations and controls are measured against the potential damage. Mitigations are put in place if they are cheaper and better to implement than allowing the risks and threats to occur.You have all fretted about the difficulty of calculating both the likelihood of an event and its potential damages. They have always been more like a best guess than an insurance actuarial table. How can anyone estimate the chances that a sophisticated ransomware, DDoS or insider attack will occur to their organization in a given year or what assets it might be able to take out with any accuracy? Can anyone prove that likelihood is 20% versus 60% in a given year?We all struggle with those large estimation issues, but there are a ton of other factors that impact risk management. Here are ten that are rarely discussed openly.1. Fighting over \u201cmight happen\u201d riskEvery risk assessment is a fight between something that might happen and doing nothing, especially if it hasn\u2019t happened before. Many people believe it\u2019s cheaper to do nothing, and those who fight to do something might be seen as wasting money. \u201cWhy waste the money? That\u2019s never going to happen!\u201dFew people get in trouble for following the status quo and doing what has always been done. It\u2019s far harder to push to be proactive, especially when large sums of money are involved, than to just wait for the damage to happen and address it then.The story I like to use is 9\/11 and air travel safety. It\u2019s not like air travel safety experts didn\u2019t already know before 9\/11\/01 that a hijacker could take over a cockpit using a boxcutter or smuggle explosives onto a plane. These risks had been known for decades. Imagine the public outcry if passengers were made to throw out their water bottles and get full body scans before 9\/11 happened. It would have outraged the public and the airlines would have proactively tried to get rid of the security measures.After 9\/11, we happily take off our shoes, throw away our water bottles, and subject ourselves to full-body scans. Getting real money to fight possible risks is much harder to do than to get the money after the damage has happened. It takes real bravery every time a risk assessor warns about a problem that has never ever happened. They are the unsung heroes.2. Political riskProactive risk-taking leads to the next unknown risk component: political risk. Every time proactive heroes argue for something that never happens, they lose a little bit of their political capital. The only time they win is when the thing they were proactive about happens. If they are successful and convince the company to put controls and mitigations in place so the bad thing never happens, well, it never happens.It\u2019s a self-defeating prophecy. When they win, no one ever knows because they successfully argued for the controls. So, each time the thing they worried about never happens, they are seen as \u201ccrying wolf.\u201d They lose political capital.Anyone who has fought one of these risk management battles can tell you they don\u2019t want to take on too many of them. Each one taken burns their reputation a bit (or a lot). So, proactive warriors calculate which battles they want to fight. Over time, seasoned warriors pick fewer battles. They have to. It\u2019s survival of the fittest. Many of them are just waiting for the day when a really bad thing happens that they didn\u2019t fight to prevent hurts the organization and they become scapegoats.3. "We say it\u2019s done, but not really" riskMany of the controls and mitigations we say we have done aren\u2019t really done\u2026at least not at 100%. Many people in the process understand it\u2019s not really done. The most common examples are patching and backups. Most companies I know say they are 99% to 100% patched. In my over 30-year career of checking on the patch status of millions of devices, I\u2019ve never found one that was truly fully patched. Yet, every company I\u2019ve audited told me they were fully patched or nearly so.The same is true of backups. The current ransomware epidemic has laid bare that most organizations don\u2019t do good backups. Despite most organizations and their auditors checking off for years that critical backups are both done and are regularly tested, it just takes one big ransomware hit to show how radically different the truth is.Everyone in risk management knows this. How can a person who is in charge of backups ever test everything when they aren\u2019t given the time and resources to do so? To test if a backup and restore would work, you would have to do a test restore of many different systems, all at once, into a separate environment where it would have to work (even though all the resources are pointing in the original environment). That takes a huge commitment of people, time, and other resources, and most organizations don\u2019t give the responsible person any of that for the task.4. Institutionalized risk: \u201cIt\u2019s always been done that way\u201dIt\u2019s hard to argue against \u201cthat\u2019s the way we\u2019ve always done it,\u201d especially when no attacks against the weakness have occurred for decades. For example, I frequently come across organizations that allow passwords to be six-characters long and never changed. Sometimes it\u2019s that way because the PC network passwords have to be the same as the passwords connecting to some archaic \u201cbig iron\u201d system that the company depends on. Everyone might know that six-character, non-changing passwords are not a good idea, but it\u2019s never caused any problems.Good luck arguing that everything needs to be upgraded to support longer and more complex passwords, possibly spending millions of dollars, The institutional \u201cwisdom\u201d is against you, and most of those people have been there way longer than you.5. Operational interruption riskEvery control and mitigation you implement might cause an operational issue. It might even disrupt operations. You are far more likely to get fired for accidentally disrupting operations than for proactively preventing some theoretical risk. For every control and mitigation that you push, you worry about the potential operational interruption it will cause.The more radical the control, the more likely it is to mitigate every bit of the risk of the threat it is fighting, but the more suspicious you are that it can do so without operational interruption. If mitigating risks without causing operational interruption were easy, everyone would be doing it.6. Employee dissatisfaction riskNo risk manager wants to make employees angry. If you want to do so, implement any control that restricts where they can go on the internet and what they can do on their computer. End users are responsible for 70% to 90% of all malicious data breaches (through phishing and social engineering). You cannot trust end users\u2019 instincts to protect the organization.Yet the mere mention of restrictions on what end users can do, such allowing only pre-approved programs to run or restricting where and what they can do on the internet, is met by hostility from most employees. The labor market is tight. Every company is struggling to get good employees, who don\u2019t want to be told they can\u2019t do whatever they want to do on \u201ctheir\u201d computer. You lock it down too much and they might go work somewhere else.7. Customer dissatisfaction riskNo one wants to implement a policy or procedure that turns customers off. Upset customers become other companies\u2019 happy customers. For example, credit card companies are far more concerned with accidentally denying a legitimate customer a legitimate transaction than in stopping fraud. They care about fraud, but it\u2019s at a level they feel is long-term sustainable. The subcontractors and companies that make credit card transactions more accurate sell their services to the credit card companies on how well they don\u2019t deny legitimate transactions. Customers wrongly denied twice in a year will use someone else\u2019s credit card.It\u2019s also why you don\u2019t need to use a PIN with a chipped card in the US. The rest of the world requires both the chip and a PIN, and this is a more secure option by far. How did it get that way? Because PIN and chip cards came to the US relatively recently, and merchants and customers were just getting used to swiping cards. Requiring people to insert the card so that the chip was read correctly was going to make a small percentage of transactions fail and upset some customers.\u00a08. Cutting edge riskPeople on the cutting edge often get cut. No one wants to be on the pointy tip of the spear. Early adopters are rarely rewarded for being early. They often become the lessons learned that make it easier for the herd to adopt improved tactics.Two years ago, the US National Standards and Technology (NIST) said that its long-standing password policy of requiring long and complex passwords that are frequently changed caused more hacking than it prevented. Its new Digital Identity Guidelines, NIST Special Publication 800-63-3, says passwords can be short, non-complex, and never have forced password changes unless you know the passwords have been compromised. It was a complete 180-degree turn from the previous advice that was accepted as dogma.Since then, no compliance guideline or regulatory law has been updated to say that following the new advice is recommended or legal. I haven\u2019t seen or heard of any companies moving to the new policies. That\u2019s probably a good thing, because if you changed your policy and got hacked because of it, even if NIST said it was the right thing to do, fingers will be pointed at you asking why you did it. It\u2019s much safer to wait for the herd to move to the new password policies and they are proven right or wrong.9. Time lag riskYou are almost always fighting some risk that has already happened to other people (or to your organization). You wait to see what tricks the hackers have up their sleeves and then create mitigations and controls to fight those new risks. Having to first wait to see what the hackers are doing makes a time lag from when the new malicious behavior is spotted until you can assess the new technique, think of new controls, and push them out. In a wait-and-see game, you are always behind.10. "Can\u2019t do everything right" riskLast year more than 16,555 new public vulnerabilities were announced. More than 100 million unique malware programs are known. Every type of hacker from nation-states to financial thieves to script kiddies are trying to break into your organization. It\u2019s a lot to worry about. You have no way to defend against it all unless someone gives you an unlimited amount of money, time and resources. The best you can do is guess (see #1 above) what are the most important risks and try to stop them.These are not new components of risk assessment. They have always been there, and they are what you are all thinking about when assessing risk and thinking of controls. It all points to the fact that risk assessment and risk management are far harder to do than it seems, especially on paper or from formal theory in a book. When you consider all the things the average computer security person has to worry about and contemplate, it\u2019s amazing that we can actually get it right most of the time.Now go out there and continue to fight the good fight!