5. Vendor hype. Most IT vendors are ethical and partner with their customers. And then there are those that just want to make a quick buck. What better way to make a profit than to emphasize some risks and provide convenient solutions? They have read Daniel Kahneman's book.

6. The Dark Side. The bad guys are innovating too. They have business models and sophisticated toolkits, and they've learned to be patient and persistent. They use technologies like GPU clusters and botnets. They form networks to ride Kleiber's quarter-power law of innovation.

7. Volume. As volume (data, I/Ops, Gb, Flop, etc.) grows, formerly solid technologies turn vulnerable. Infrequent drive failures aren't so unlikely in 100-petabyte-scale storage. Large distributed systems introduced such concepts as Brewer's theorem.

8. Intuition does not work. It would feel reasonable to multiply the likelihood of an event with the impact and invest a somewhat smaller amount to avoid the consequences. But this approach does not work when the event is extremely unlikely and the impact is extremely costly. Many IT disaster scenarios fall into this category.

9. Risk management in silos. It's much easier to focus on individual applications or systems instead of looking at the integrated business process crisscrossing the silos. By addressing the risks in the silos, the truly valuable business process is still at risk. Efforts to do business-impact analysis turn into system-impact analysis.

10. Over-engineering. Although this doesn't sound like a big deal, over-engineered technical solutions are bad. The extra capital and operational expense matters most when it's about marketplace survival.

11. Compliance confidence. Achieving compliance feels and looks good, but it doesn't mean that the risks have been addressed at the appropriate levels. Cybersecurity is a good example -- it's easy to create an IT solution that's perfectly safe while completely unusable.

12. Emerging technologies. Progress is disruptive in both a positive and negative way. Emerging technologies open doors to new possibilities and close others. And they also introduce new risks. One example is big data analytics: When combined, pieces of low-risk information may turn sensitive.

A smart person always delivers the problem to the boss with suggestions. After bringing you the list of risk-related anti-patterns, my suggestion to you is to listen to Goethe. And I hope the 0.4 micromort you expended reading this column was worth it.

Outsourcing let companies concentrate on their core competencies instead of managing IT infrastructure. Generally speaking, IT security processes tend to be a good fit for the outsourcing model, but organizations must be careful not to paint with too broad of an outsourcing brush. In the Finding The Right Security Outsourcing Balance report, we examine the security services that lend themselves best to the outsourcing model and provide some questions to ask to ensure that your organization’s assets remain safe. (Free registration required.)