When we talk about Risk, we generally are talking about the likelihood that Something Bad Happening. If I look it up in a dictionary, risk is “The possibility of suffering harm or loss; danger.”

This is especially true when talking about Risk within IT. I get asked questions like, “What’s the risk of Vulnerability X?” or “What’s the risk of allowing this protocol through a firewall?” (The answer is, “It depends.”) Even project status slides present events in separate sections labeled “Risks” and “Opportunities,” as if the two are somehow independent.

But we should always consider that Risk (likelihood of Something Bad happening) is just one side of Volatility (likelihood of Something Happening, good or bad). Never forget that without risk we cannot have reward.

Our job is not to eliminate risk. It is to identify the risks we should mitigate or avoid because they don’t provide adequate potential for reward and determine how best to transfer or accept the ones that do.

(does his best Office Space)

Ummm, yeah, I’m gonna have to go ahead and disagree with you on that one.

That definition is one that is offered, but IMHO is very, very poor. Why? Because then risk is binary (which it never really is) - studying possibility gets one no where. It’s when you consider risk to be a *probability* problem that your view of the world of information risk changes dramatically.

Now you have something to measure. You can start to build metrics, you can create comparisons and make decisions.

If we’re stuck using possibility - then we still have to act like we’re in Shaman mode, we must have this ever increasing list of best practices because all we’re doing are throwing controls against the tactics of threats. Even our so-called metrics are nothing more than measures of effectiveness for various controls - fine for the console jockey but they mean very little to a business (or data) owner.