What’s “a risk” anyway?

Filed by JonesJ | 11 comments


  • Although there are a number of definitions for “risk” out there, most of us seem to gravitate around a definition that relates to the likelihood (or frequency) and consequences (or magnitude of loss).  So with that in mind I’m going to ask a question about something that’s bugged me for a long time — What is “a risk“?  Likewise, what are “risks” (the plural of “a risk”)?

    If you survey a set of people who deal with risk or security professionally (inside or outside of infosec) and ask them to list key “risks” within their scope of responsibilities, you tend to get an interesting set of answers.  For example, the list you get from an infosec professional might look something like:

    • Insiders
    • Lack of user awareness
    • Data leakage
    • Non-compliance
    • Reputation
    • Web applications

    Why it matters

    Clearly, all of these can be issues worthy of concern for an organization, so what’s the problem?  Well, maybe nothing.  If all you’re looking for is a list of issues that contribute to the amount of risk an organization has, then a list like this is probably fine.  A problem arises though, when you try to measure, compare, and/or prioritize these, for (at least) two reasons:

    • They aren’t the same kind of thing — e.g., Insiders are a threat community, lack of user awareness is a control deficiency, data leakage is a type of loss event, non-compliance is a condition, reputation (damage) is an outcome, and web applications are a type of asset.  A very apples vs. oranges problem.
    • They aren’t distinct or solitary in their contribution to risk.  In other words, two or more of them can be combined in different ways to describe different risk scenarios with different probabilities and consequences.  As a result, any individual measurement of significance in terms of risk is invalid.

    The definition for risk mentioned above implies a measurement of some sort — i.e., a pair of values (some version of likelihood and consequence) —  yet we use the terms “a risk” and “risks” in a way that implies reference to one or more objects or “things” rather than a value.

    Unfortunately, I see a lot of instances where people have tried to characterize “risks” in terms of likelihood and consequence, and it’s never pretty.  The results are very difficult to defend logically, which I suspect contributes to people’s notion that dealing with risk is hard.  My experience has been that once you get clarity around risk terminology the kind of confusion that comes from “risks” goes away and the problem becomes a lot easier to wrap your head around.

    Posted on July 19

    • 11 comments

    1. Clint Laskowski Jul 19

      Risk is a function of (a) the likelihood that a specific threat source will exploit a specific vulnerability of a specific asset or process, and (b) the resulting impact.

    2. Ash Jul 19

      in it’s simplest form risk is ‘what could go wrong and what we are doing about it’. No complex mathematics just a very simple and easy to understand definition that anyone in any business can understand.

    3. Jack Jul 19

      Argh

    4. Jack Jul 19

      I guess I was too subtle and/or Clint and Ash were in a hurry and didn’t read the post closely (or, they just outright disagree with me).

      The point I wad trying to make is that many of us use the terms “a risk” and “risks” to mean almost any element within the risk landscape. This creates a lot of confusion, which holds us back as a profession.

      I recently took part in an exercise to evaluate potential questions for an industry certification exam related to risk. I was dismayed at the variety of ways the term risk was being used — and this for an exam that’s supposed to attest to an individuals expertise in the matter….

    5. Andy Jul 19

      Hope you didn’t hurt yourself when you did the facepalm Jack. Just wondering if the point could be driven home a little better if we saw the risk-aware counterpoint to the standard infosec professional’s response in the post.

      These discussions about risk are long on the flaws in the current SOP, and light on how you would alter the conversation about risk with management. Current infosec practice gives management a steady diet of stoplight charts and the flaws you highlight above, but to show up one day with probability distributions and a wonkish parsing of terms feels like a lead balloon in the making.

    6. Jack Jul 19

      @Andy. Point taken. Thanks. From now on I’ll try to include examples that illustrate my points of the problem with SOP and an alternative.

    7. Ron W Jul 21

      @Jack - Great thought-provoking post.
      The “5 Whys” technique may help here. Ask 5 times, why is that “thing” a risk? It also gets into how it is a risk.
      I don’t agree that using impact X likelihood makes the risk difficult to defend logically. I found that’s how people think naturally.
      I do agree that people make risk analysis more difficult than it needs to be, so they stay away.
      This makes for a fun debate.

    8. Jack Jul 22

      @Ron
      Thanks for your comment. I agree that the “5 Whys” can be extremely useful for a number of different problems. As for impact x likelihood, it only becomes a problem when people try to apply it to conditions or elements that don’t comprise a full risk scenario. For example, “inadequate user awareness” is a control deficiency that contributes to how much risk exists, but it doesn’t describe a risk scenario (loss event) that can be measured in terms of likelihood and impact. That doesn’t keep a lot of people from trying though. And you’re right — it does make for lively discussion.

    9. Bruce Hallas Aug 1

      I totally agree with the 5 why idea. Though in my experience you may get your answer in less than possibly more than 5. However I learn’t 12 years ago that risk related to an impact upon cash flow and profitability, P & L’s and balance sheets.The strap line I have used since then when describing my contribution to business is that I manage information security risks to cash flow and profitability. This is the true measure of risk to private business.

      Another point I’d like to make is that there are two sides to risk. In information security it’s all about negative risk. This is a hangover from the use of fear, uncertainty and doubt techiques used to justify investment in information security. However where ever there are negative risks these can be leveraged to create positive risks/opportunities. Interestingly, in the UK, my experience over the past 24 months is that organisations are investing in information security risk management because their customers or target markets have concerns.

    10. Alex Aug 2

      @Bruce:

      wait, “negative risk”? can you describe what you mean here? If risk can be a negative value, what would be the state of Risk = 0 then?

    11. Jack Aug 3

      @ Bruce

      I agree that the bottom line (in the commercial world) is the bottom line. That is what management cares about and what our statements of risk need to relate to. It’s also one of the reasons a quantitative statement of risk (in terms of frequency and magnitude of loss) tends to be more meaningful to management than a qualitative label like “high, medium, low” or “3 on a scale of 1 to 5″.

      Regarding “two sides to risk” — there’s no question that infosec has too long been guilty of using FUD as a crutch to support superficial risk assessments and statements. That said, infosec isn’t the only discipline that uses the term “risk” solely in the negative context.

      I’ve always had reservations about the “two sides to risk” position. In that context, the term risk seems to simply mean “uncertainty” or “potential” — i.e., negative risk equates to “there is potential for loss”, and positive risk equates to “there is potential for gain”. Language and definition diversity being what it is, I’m not in a position to say that’s an improper use. I’ve just found it to be simpler and clearer to consistently use the term risk to mean frequency and magnitude of loss. When referencing the potential upside to a situation I simply use “opportunity”, which I measure in terms of frequency (or likelihood, if you prefer) and magnitude of gain.

      Again, at the end of the day I’m just trying to bring clarity (in my own mind at least) to the landscape I’m paid to deal with. In that quest it’s been very helpful to assign a single definition and meaning to key terminology. Your mileage may vary.

      Thanks,
      Jack

    Leave a reply