After only three days of immersion in the security and risk management (SRM) community and culture at the 2008 Security Analysis and Risk Management conference, I saw the ongoing problems with SRM that must be solved in order to advance the profession. Firstly, The comparison between risk analysis methodologies is impossible without collectively defining a “methodology of methodologies.” Decision makers commonly fail to understand and intelligently differentiate between security and risk analysis methodologies. There are many methodologies out there, but each has been developed for its own purpose and been tailored to its own decision maker. By developing a system of classification, a taxonomy of risk methodologies, SRM professionals and decision makers can discuss the differences and similarities between the methodologies in order to determine the right one for the situation. However, even before this step can be achieved the SRM community needs to establish a common lexicon. The terminology of security analysis has never been definitive. Every government agency and SRM company has a different definition of risk, threat, consequence, vulnerability, and other words related to SRM.

Fundamental in their nature, these problems need to be answered, at least to some degree of common understanding, so that every SRM professional is on the same page. Without a common lexicon or a “methodology of methodologies” security risk management as a profession will face many barriers to advancement and great frustration.

The Security Analysis and Risk Management Association made an attempt to tackle these problems head on head with SARMApedia. SARMApedia is a common knowledge base for security risk management. The site is based on mediawiki, a wiki technology originally developed for Wikipedia. SARMApedia allows any professional to document definitions and analysis methods for discussion. There are also separate pages on who’s who in SRM. The site currently is in need of more content and participation from the professionals, but even students are allowed to sign up and contribute. SARMApedia could prove to be a great resource for SRM and also unify the profession.