Risk Analysis ==> Compliance + Governance ==> Risk Management

Is that it?

First, you and I both know there’s no such thing as “secure,” only “secure enough.”

Once we remember that we use the first as shorthand for the second, I think a lot of your syntactic concerns should go away.

As for the question of getting out-of-whack, I also agree–but part of governance is ensuring that the rules (laws, policies, etc) evolve to match the changing threat landscape.

I’ve got more to say on this particular topic, but it merits a post of its own, probably tomorrow.

What I see right now is a model of dividing the topic into two areas, being policy and operations. The first takes as input a chosen definition of risk/security and any other external forces (regulations, “best” practices) and creates a policy. The latter takes the policy as the input (baseline?) and measures how close we are to it.

For the latter “operations security/risk” view, I agree with the “priors” claim. But not for the former. If you don’t have a way to adjust the “g&c” then you will die … it will get out of whack as the threats move around.

Is that close?

Which leads to (a) grave difficulties in deciding where the binary bar is, and (b) semantic difficulties in usage when we mean something soft or wide instead of hard and narrow, and (c) consequent noise creeping into our attempt to actually do anything in this area. Possibly it would help to have a definition upfront?

And I don’t think it’s so bad to invent new terms. (Click to see one attempt.)

Unfortunately, I have to agree with you. I do, however, like your turn of phrase.

One of the questions that I’m now pondering in my hours and hours of spare time is exactly *why* so many people seem to find this approach counter-intuitive.

Governance and Compliance are priors for Risk Management, and not the other way around.