Disclosure of risk is an ethical dilemma
Published: September 20 2005 16:54 | Last updated: September 20 2005 16:54
When Donald Rumsfeld spoke of “known knowns”, “known unknowns” and “unknown unknowns” the world laughed. But the concepts he outlined are familiar to risk managers.
Computer security knowns and unknowns correspond to risks within systems. A risk exists when a system has a vulnerability and a mechanism exists to exploit it.
Vulnerabilities that can be exploited are quantifiable risks (known knowns), while for those for which there is no exploitation (known unknowns) the impact is unquantifiable.