What does triage have to do with negligence?

What does triage have to do with negligence? You can watch this post on video instead of reading if you want to see a surprise whiteboard 🌞

Hi! I said last time that we were gonna talk about TRIAGE.

So was it negligence if you left someone in the emergency room bleeding from a bad cut?

Well, suppose you had triaged that person, and determined they were gonna be fine. They would live – they were hurting but they would live – and you prioritized dealing with a much more time-critical injury, someone who only had 30 minutes left on the clock. Of course that’s not negligence. That is appropriate prioritization.

Is it negligence if you left servers unpatched? Well, not if they didn’t have any sensitive data and you were prioritizing patching more important servers.

triage is really prioritization

If an emergency popped up and you decided to temporarily not follow the rules in order to deal with something much more important, that’s not negligence, thats good judgement.

With security, deciding not to implement some security controls that are too expensive is another example of prioritization. Unlike in a medical situtation, in business when you are prioritizing risk, security, opportunity - you measure that in money.

But risk and security and opportunity is super vague. We can’t really know what a security breach is going to cost or if something bad is going to happen this year. Maybe there is a 50% chance, maybe there is a 90% chance something bad is going to happen.

How can we actually quantify that, how can you define a business case around something so vague? In the next series, I’m going to walk through a set of skills that are necessary for doing a good job of risk analysis.

Can you do me a favor that doesn’t cost anything? Hit reply and let me know which one of these do you see used most often.

what units do you see used to measure and visualize the results of risk analysis?

  1. Categories (high / medium / low)
  2. Severity 1-5, Impact 1-5, multiply together for a score, show in a heatmap
  3. An estimated dollar amount
  4. A probability distribution of annualized loss.

Want to get the latest analysis and open source tools we publish?

It's so easy for experts to put their head down and work without ever sharing lessons learned with the rest of the world. We publish all our best ideas, analysis, and latest open source tools and techniques by email every week.

    We won't send you spam. Unsubscribe at any time.

    Powered By ConvertKit