Continuing on with #CyberSecurityAwarwnessMonth, I want to highlight the importance of making good #risk decisions.

At a basic level, risk calculations have to take into account three factors:

• likelihood of the negative event happening
• how severe the event would be
• how your countermeasures will impact either of those other factors

We, as humans, tend to over exaggerate the likelihood of "big, scary" events, and we prepare heavily to mitigate risk from them. Let's call this the "zombie apocalypse" event that people over prepare for. By contrast, we tend to underestimate "routine" events' potential impact. I'd point out that far more people in the US have lost their homes in the past 100 years to fires caused by careless cigarette use than to a zombie apocalypse.

As we think about risk from a cyber security perspective, it is important to remain aware of this bias, and to actively resist it.