Risk definitions

One of the problems that security practitioners have when discussing risk is agreeing on the terminology. My work in recent years has focussed on using widely accepted standards to underpin security recommendations.

All standards define their terminology pretty well. Most recently I have been using the fairly new ISO 31000:2009 as a  reference for risk assessments. The following is a comment I recently fired into a LinkIn discussion on risk here.

There are many different ways of approaching risk and the two he gives are good starting points.
Take a look at the newly adopted ISO 31000. It is widely used internationally to guide risk management, It defines risk as the effect of uncertainty on objectives and so can be positive or negative. (Just ask someone who can’t adequately fund a rapidly growing business if there is a risk of success).

I have done a lot of risk assessment work recently where we have used a methodology based on the ISO standard and its really interesting to see how business and ICT people see risk differently. There are no ICT risks as such. In all cases the risk is to the business – if there is no impact on the business why would you spend money mitigating it. That is where rating impacts and likelihood is vital. While the finance and insurance industries have good statistical information to facilitate risk decision making, there is much less quantitative information available for measuring the likelihood of ICT risks and the resultant impacts.

If you are going to use qualitative measures then you need to document what Low/Medium/High (or whatever measures you use) mean in a particular context.
Likewise risks don’t disappear once managed appropriately. I have encountered cases where people want to remove risks from a register once controls are put in place. That means that there is no monitoring process for ensuring that the risk stays mitigated and that changes in systems/environment/staff etc don’t raise the risk level again.

Actually one of the first steps in a risk assessment is to define the terminology that you will use, and then use it consistently. The next step before thinking about risks/vulnerabilities/threats etc is to make sure you understand the business context of whatever it is you are assessing. If you don’t know what the business drivers are you haven’t a chance of identifying all the things that could impact it.

Back to the original question on term definition – I found the FAIR paper a good model for discussion – the bald tyre scenario. Have a read of –
http://fairwiki.riskmanagementinsight.com//?page_id=4 for definition of terms etc.