Our first challenge is to define the nature of the problem we’re trying to solve – i.e., what is risk? This section will briefly cover the nature of risk and some simple truths about risk analysis.
Risk defined
Risk – The probable frequency and probable magnitude of future loss
There are three important things to recognize from this definition. First and most obvious – risk is a probability issue. We’ll cover this in more detail throughout the document, so I won’t belabor it now. Second – risk has both a frequency and a magnitude component. And third – the point I’d like to focus on here – is that this definition for risk applies equally well regardless of whether we’re talking about investment, market, credit, legal, insurance, or any of the other risk domains (including information risk) that are commonly dealt with in business, government, and life. In other words, the fundamental nature of risk is universal, regardless of context. The good news is that risk concepts have been studied for generations within other professions, so a lot of good information is available. The not so good news is that we have, far more often than not, approached information risk as if it were somehow different from the other risk domains. This is one of the first hurdles we have to overcome if we hope to really understand our problem space.
next: The Purpose of Risk Modeling
Showing changes from revision #0 to #1: Added | Removed
Our first challenge is to define the nature of the problem we’re trying to solve – i.e., what is risk? This section will briefly cover the nature of risk and some simple truths about risk analysis.
Risk defined
Risk – The probable frequency and probable magnitude of future loss
There are three important things to recognize from this definition. First and most obvious – risk is a probability issue. We’ll cover this in more detail throughout the document, so I won’t belabor it now. Second – risk has both a frequency and a magnitude component. And third – the point I’d like to focus on here – is that this definition for risk applies equally well regardless of whether we’re talking about investment, market, credit, legal, insurance, or any of the other risk domains (including information risk) that are commonly dealt with in business, government, and life. In other words, the fundamental nature of risk is universal, regardless of context. The good news is that risk concepts have been studied for generations within other professions, so a lot of good information is available. The not so good news is that we have, far more often than not, approached information risk as if it were somehow different from the other risk domains. This is one of the first hurdles we have to overcome if we hope to really understand our problem space.
October 17th, 2006 at 6:15 pm
[...] Why this quote works is because if we use quantified (or even qualified) Risk as our justification, we tie our value to the value of the business. [...]
June 16th, 2009 at 12:51 am
[...] the introduction: Risk – The probable frequency and probable magnitude of future [...]
August 19th, 2010 at 4:59 pm
I like this concept. One of the themes (if not THE theme) of Bruce Scneier’s “Secrets and Lies” called out a lot of parallels b/t physical and digital security. Like, a bank that doesn’t run IDS on their network; you have cameras in the branches, right? Why? OR Do you just keep the money in a pile in the middle of a room? You keep it in a vault.. OK, does everyone get access to the vault? We are most DEFINITELY NOT inventing anything. Why wouldn’t the bank’s IT infrastructure reflect what they do in the branches?? It’s a hell of alot easier to steal money over the Internet than walking into a bank, so they should be that much more paranoid and careful.
August 19th, 2010 at 5:00 pm
Oops! Mis-spelled Schneier.. oh well.