Is information security risk management an art or a science? As you might expect, the Ponemon survey ([ Ссылка ]) reveals that risk management is not considered purely art, and it's not considered to be purely science either.
There are many models and key performance indicators available that allow us to apply scientific elements to infosec risk management, but those activities do not alone make it a science.
On the other hand, there will always be a need for risk management and security professionals to leverage their own experience and knowledge to make determinations that are based on their own background and particular circumstances -- the "art" part of the equation.
Tripwire recently sponsored an extensive survey on the state of risk-based security management with the Ponemon Institute. Key findings and more information on the survey can be found here:
[ Ссылка ]
