Introduction

My introduction to risk analysis began in 1978 when I was an information systems security officer (ISSO) working for General Motors. The General Motors Systems Corporate Activity (GMISCA) group sponsored a two-day conference for their ISSOs. Worldwide, GM had nearly 150 people performing that activity and about half that number was in attendance. On the morning of the second day, a 90-minute session on risk analysis was scheduled. Because it was something that I needed to know about and had never done, I selected this session. The person giving the lecture was a Ph.D. candidate who did his undergraduate degree in mathematics. He was introduced and then addressed the audience for about two minutes; he then turned and faced the chalkboard and began to write numbers and formulas on the board. For the next 88 minutes he talked to the number and the numbers talked to him. He never turned to talk to the attendees until the end when he said, “And there you go.” I turned to the person next to me and said that if this was risk analysis, I would rather drill my eye out with a hand auger.