I’ve found that IT risks can best be thought of in three high level categories (I’ve rather negatively called these failures but after all failure is what we are trying to avoid)

• Failures to invest
• Investment failures
• Operational failures impacting the confidentiality, integrity and availability of information and information systems

Categories like these help us organize our thoughts but more importantly they help us with risk identification. Identification of risks usually involves some form of brainstorming and categories can help us ensure that we have covered the ground. Read More