Donn Parker is a security professional who wrote an article for ISSA Magazine a few months ago that asserted that risk management should be replaced by due diligence, compliance, and enablement (whatever that is). Of course, ignoring risk is simply one strategy for risk management so it is impossible to replace it. Certainly, we can devalue risk in favor of these other things, but that doesn’t make much sense.

I found this quote from Hal Finney on the "Overcoming Bias" blog that I thought did a good job of explaining one of the biggest issues:

"This last process is described as an "information cascade" and it is one of the most common traps that crowds can fall into. The problem is that recognizing the wisdom of crowds involves a paradox. The crowd can only be wise if the information and insights from all its members are incorporated. But if each person believes that the crowd is wiser than he is (as would typically be correct) then they will only echo back what they think is the crowd consensus, leading to "groupthink" and runaway. This is one way of explaining well known mob behavior such as investment bubbles. Each person changes his own beliefs about prices when he sees the crowd consensus, producing positive feedback and driving prices to unsustainable levels."

The information security profession can learn a lot by studying behavioral economics and psychology.