Difference between revisions of "Risk"

From Securipedia
Jump to navigation Jump to search
Line 4: Line 4:
   
 
=Definitions=
 
=Definitions=
 
There is no one, universally accepted definition for risk. A prominent definition of risk is provided in the ISO 31000:2009 risk management standard <ref name="iso31000">[See: http://en.wikipedia.org/wiki/ISO_31000], additional text.</ref>, where risk is defined as the ‘effect of uncertainty on objectives’ and both positive and negative effects are included. As this definition is of a high conceptual level and can be counter-intuitive, for the purpose of this wiki, the definition as mentioned in the introduction will be used.
<ref>see dinges</ref>
 
Page text.<ref name="test">[http://www.example.org Link text], additional text.</ref>
 
 
There is no one, universally accepted definition for risk. A prominent definition of risk is provided in the ISO 31000:2009 risk management standard <ref name="iso31000">[See: http://en.wikipedia.org/wiki/ISO_31000]</ref>, where risk is defined as the ‘effect of uncertainty on objectives’ and both positive and negative effects are included. As this definition is of a high conceptual level and can be counter-intuitive, for the purpose of this wiki, the definition as mentioned in the introduction will be used.
 
   
 
=Objective and subjective risk=
 
=Objective and subjective risk=

Revision as of 14:15, 29 February 2012

Introduction

Risk is a measure for the expectation of undesirable outcome ([#_Impact impact]) to realise. This expectation concerns both the [#_Likelihood likelihood] and magnitude of the undesired outcome. Quantified levels of risk are often used to enable an assessment of risk in order to establish if they fall within acceptable limits or to determine which risks pose the highest threat.

Definitions

There is no one, universally accepted definition for risk. A prominent definition of risk is provided in the ISO 31000:2009 risk management standard [1], where risk is defined as the ‘effect of uncertainty on objectives’ and both positive and negative effects are included. As this definition is of a high conceptual level and can be counter-intuitive, for the purpose of this wiki, the definition as mentioned in the introduction will be used.

Objective and subjective risk

Risk assessment

Although terminology may vary, two widely accepted elements in the definition of risk are the inclusion of likelihood and magnitude and to a lesser extent, the fact that to arrive at a measure of risk, the two should be multiplied. A simple, but widely used definition of risk is therefore

Risk = Likelihood of event realizing  X  Impact (expected loss in case the accident realizes).

Many variations exist, for example by distinguishing between the probability of a threat realizing (also called probability) and the probability that that threat will affect an object ([#_Vulnerability vulnerability]). An example would be storm damage: the probability would reflect the likelihood of a storm at the object, the vulnerability would reflect the likelihood that this storm would cause damage and the impact would reflect the extent of damage that would occur if the storm would cause damage. The quantified risk formula associated with this definition is

Risk = Likelihood of event realizing  X  vulnerability (probability of realized event impacting object) X  Impact (expected loss in case the accident realizes and impacting object).

The estimation of likelihood in security

The use of probability relies on the ability to make reliable predictions. This is most often based on the analysis of past occurrences and identification of trends. When determining risk in the field of threats related to [#_Human_intent human intent], the use of trend analysis to determine likelihood is criticised[#_ftn2 ] for threats actively seeking harm (for example terrorism). This is due to the fact that

  • these events occur relatively infrequently, making the recognition of trends difficult;
  • in contrast to for instance natural threats, the results of past events does influence the likelihood of future events: potential perpetrators will actively seek ‘the weakest link’. This means that the predicting value of trends in past occurrences is in doubt.

A way to overcome these problems is to substitute [#_For_Human_intent attractivity] for probability and [#_For_intentional_threats conceivability] for vulnerability. In this way, assumptions  about  historical data predicting future events can be avoided.

Uses of risk assessment

t.b.d.

Sources of risk

One way to typify types of risk, is by their causes. A cause for risk is called a [#_Threat threat]. Threats can be classified into [#_Safety_1 safety] threats, consisting of [#_Natural_threats Natural threats], [#_Human_failure Human failure], [#_Technical_failure Technical failure], [#_Failure_of_critical Failure of Critical Services] and [#_Security security] threats which are due to [#_Human_intent Human Intent].

Related subjects

t.b.d.

  1. [See: http://en.wikipedia.org/wiki/ISO_31000], additional text.