The author examines the use of the risk paradigm in current security reasoning and decision making. Simplicity and rationality, the two assumptions underlying the frequent use of the risk paradigm, are questioned and investigated. Based on a review of the risk paradigm, the paradigm's evolution over time and a review of Expected Utility Theory (EUT), the author concludes that the risk paradigm is inappropriately applied and generalized to security management. The risk paradigm may be appropriate for well structured, clearly defined operational problems. The risk EUT paradigm is not applicable to the protection of assets. Furthermore, using the risk management paradigm seems incompatible with the fundamental principles of security work which is more concerned with protection than business and finance. The concept of risk as fear of loss or fear of harm must also be considered. A protector cannot accept a risk without betraying their own set of morals and ethics. The author argues that the risk paradigm should be used at the planning and implementation levels of security equipment selection and installation not as the initial guiding force for directing security decision making processes. 55 Notes