Pete Lindstrom corrected my spelling and offered his own suggestion for a Universal Risk Measure:

There are two ways to respond to this problem - First, we can assert that we do have a unit of measurement - the % point, because risk is simply the likelihood that something bad will happen, and “bad” can be anything we want it to be. Secondly, we can simply suggest that it doesn’t really matter - any unit is fine, as long as everyone is clear on it. I have never heard anyone say that they couldn’t understand the risk because the unit of measurement was wrong.

I think I disagree with the % (percent, as opposed to its alternate usage, the modulo operator) as a Universal Unit of Measurement. Picking freqency or likelihood of occurance doesn’t do us much good since, unfortunately, there are only two levels of likelihood in most people’s mind when dealing with risk:

Definitely will happen (probability 1) — i.e. worms or viruses. In the eyes of The Business, things only move into this category after technology solutions exist, which I should be busy providing instead of wasting their time with meetings and trying to turn their project’s status to Yellow.
Never will happen (probability 0) — i.e. Systems intrusions by skilled attackers resulting a massive loss-of-data or a hurricane destroying New Orleans. (Note: this eventually gets turned into, “Definitely will happen,” but only after it’s too late to do anything about it. For further reading, see Code Red, SQL Slammer, or anything in Adam Shostack’s privacy breach category.)

Pete also gets to deal with more risk-aware people than I do if he’s never had anyone claim that the unit-of-measure kept them from understanding risk. Maybe that’s because he’s a consultant, so if people are talking to him, they understand the concept well enough to think he’s worth paying Real Money to discuss it with them. I, on the other hand, live in the corporate world and have to descend like some sort of office ninja on those whose projects catch the wrong eye or need connectivity to a third party.

As a result, I spend a lot more time trying to explain to people why we’re all sitting on the phone or in a room together, especially given that their default viewpoints are
1) The incident in question Never Will Happen
2) I’m probably about to turn their project status Yellow and thus must be opposed with all their mortal vigor

So maybe they’re being deliberately obtuse, but that fact doesn’t make my life any easier.

To make matters worse, I completely agree with Pete that security practitioners have a nasty habit of playing loose with the fact that, “‘bad’ can be anything we want it to be.”

I’m guilty of this myself, usually because someone asks the, “What’s the worst thing that could happen?” question. The answer, of course, is that their systems will vanish in a blaze of keystrokes right after ueber-l33t h4×0rs sneak through their probability-zero hole and ravage our internal digital landscape like the Mongol Horde in Kiev. This may be the l0w-likelihood, high-impact scenario, but since they asked, I tell them. This also provides a nice juxtaposition with the more likely scenarios such as a disgruntled insider, a lack of clear system ownership, excessively loose administrative access policies, or any number of other issues which they should have thought of ahead of time but didn’t bother to either ask me (or someone like me) or to read our standards documents.

Which brings me back to my original point. We’ve got two variables that we can potentially control, how likely is the event and how often does it happen. Unless they agree that the probability is 1, we’re screwed since anything times zero (the only other option in their mind) is zero, which makes the risk zero, and so they can now decide in their own mind that the Information Security risk has been managed, which means that their project is now back to Green and life is once again good.

Risk Quantification

Chandler Howell responds to my previous post with his own. He brings up a good point:Picking freqency or likelihood of occurance [sic again ;-)] doesn’t do us much good since, unfortunately, there are only two levels of likelihood in most people’s …

Practically the whole of the book “Reckoning with Risk” is about why risks expressed as percentages are unsatisfactory. http://www.penguin.co.uk/nf/Book/BookDisplay/0,,0_0140297863,00.html
There are absolute and relative risks, as well as prior probabilities and those given some other information, as well sometimes as doubt over what population the figures were obtained from.

Probabilities of device failure are usually stated as “probability of failure on demand” so that you can
combine that with the expected demand and the redundancy of independent(!) devices to estimate probability of system failure. As with Feynman on the space shuttle there’s room to question whether the piecemeal-calulated probabilities match the frequency of whole system failure if you’re talking about rare events for which you don’t have many observations.

“Reckoning With Risk” looks like one to put on my reading list. . One of my very first posts concerned a paper along similar lines.

“The Problem of Redundancy Problem: Why More Nuclear Security Forces May Produce Less Nuclear Security,” is a quantitative analysis of the point of diminishing effectiveness of physical security at nuclear power plants.

Interesting reading if you hadn’t seen it previously.

What about that “one a day” business? :D