About this site

Acceptable Risk (Documented) is where I write down what I’ve learned about cyber security, resilience, and governance after 30 years of watching what actually happens in organisations under pressure.

It’s not a vendor blog. It’s not “top 10 tips”. And it’s not written to make anyone feel better.

It exists for one reason: because “documented” is not a mitigation strategy. Evidence beats intention.

Who I am

I’m Paul Maxwell. I’ve worked in information and cyber security for decades, including time in the Royal Navy, then in commercial and public-sector environments advising leadership teams.

My default lens is operational. If something matters, it has an owner, a cadence, and proof it works. If it only exists as a policy in a folder, it doesn’t count.

What I write about

This site is a public library of practical thinking on:

  • Resilience over reassurance: prevention is great, but you still need to be able to survive the day something gets through.
  • Maintenance beats tools: most failures are boring. Coverage checks, patch drift, admin sprawl, backups nobody has tested.
  • Evidence over intent: audits and training stats don’t equal behaviour or capability.
  • Ownership and decision-making: the difference between work that gets done and work that ends up as a report in a drawer.
  • Why the same gaps keep repeating: even though the playbooks exist and we all know what “good” looks like by now.

Sometimes I’ll use defence and supply-chain examples because they make the failure modes obvious, fast.

What you won’t find here

  • No fear-mongering.
  • No “hacker hoodie” storytelling.
  • No fluffy “culture change” slogans without an operational mechanism.
  • No sales pitch. This isn’t a services site.

How to use it

If you’re a leader, use the posts as prompts for better questions:

  • What breaks first here: people, process, or tech?
  • Do we have evidence, or do we have paperwork?
  • If this goes wrong on a Friday afternoon, do we actually know who does what?

If you’re hands-on, treat it like a checklist of the stuff that gets ignored until it hurts.

No newsletter

There’s no newsletter on this site. It’s just a library. Read what’s useful, ignore what isn’t, come back when you need it.

If you disagree with something I’ve written, that’s fine. The point is to get closer to what’s true in practice, not what looks good on a slide.