Explore the often misunderstood concept of risk in business and security programs through this 36-minute conference talk from the 44CON Information Security Conference. Delve into three key areas of the risk conundrum, uncovering the elusive art of understanding and measuring risk. Learn why risk is an inherent and valuable part of any organization, challenging the common misconception that it should be eliminated entirely. Discover the problems with ordinal numbers in risk assessment, the impact of "Black Swan" events, and lessons from casino operations. Examine historical examples, myths, and real-world scenarios that illustrate risk interpretation and treatment. Gain insights into causation vs. correlation, incident management, and effective risk response strategies. Walk away with practical takeaways to recognize risk patterns, understand the difference between various risk concepts, and realize that risk mitigation is an ongoing process rather than a final state.