Risk assessment - consider the consequences

There’s an interesting new blog on the subject of Information Security Risk by Chris Hayes that you can read at http://risktical.com/.

One of the first posts ponders the question “What is risk?” and comes up with the following definition:

The probability of a threat overcoming security controls resistance to exploit a vulnerability that results in a loss.

That’s a good place to start and I usually carry on to describe the following formula:

risk = threat * vulnerability * cost (which itself is the sum of operational +reputational + revenue costs)

There is an alternative way of considering risk which is to say that it is the very process of defining exactly WHAT you are trying to protect, from WHOM you are trying to protect it and most importantly, HOW you are going to protect it (see here).

But what about also considering catastrophic risks: for instance business continuity in the wake of a terrorist attack, or total loss of the Internet for an extended period of time. If you consider some of the improbable threats then you might be right to dispel the risk altogether given the above formula. But let’s come back to an example I quoted some time ago regarding the case of the town council that banned hanging baskets after they ruled there was a risk they could fall from lampposts and injure the public.

The risk was not considered from the likelihood for there being emperical evidence of head injuries from falling flower baskets but from the potential consequences. In other words, as unlikely as it may seem, it could happen and if it does somebody will be seriously injured and there will be expensive consequences as a result.

We could argue that if we were to consider everything in this way that we would never get out of bed in the morning because we might tread on the cat. But it’s about what we are prepared to accept as risk. The town council decided it wasn’t prepared to accept any risk of it’s hanging baskets falling onto heads.

So, consider the consequences and not always the likelihood.