Difference between revisions of "Risk"

From Securipedia
Jump to navigation Jump to search
Line 5: Line 5:
 
== Definitions ==
 
== Definitions ==
 
There is no one, universally accepted definition for risk. A prominent definition of risk is provided in the ISO 31000:2009 risk management standard where risk is defined as the ‘effect of uncertainty on objectives’ and both positive and negative effects are included. As this definition is of a high conceptual level and can be counter-intuitive, for the purpose of this wiki, the definition as mentioned in the introduction will be used.
 
There is no one, universally accepted definition for risk. A prominent definition of risk is provided in the ISO 31000:2009 risk management standard where risk is defined as the ‘effect of uncertainty on objectives’ and both positive and negative effects are included. As this definition is of a high conceptual level and can be counter-intuitive, for the purpose of this wiki, the definition as mentioned in the introduction will be used.
  +
  +
== Objective and subjective risk ==
  +
= Risk =
  +
== Introduction ==
  +
'''Risk''' is a measure for the expectation of undesirable outcome (impact) to realise. This expectation concerns both the likelihood and magnitude of the undesired outcome. Quantified levels of risk are often used to enable an assessment of risk in order to establish if they fall within acceptable limits or to determine which risks pose the highest threat.
  +
  +
== Definitions ==
  +
There is no one, universally accepted definition for risk. A prominent definition of risk is provided in the ISO 31000:2009 risk management standard<ref name="ftn1"> See: [http://en.wikipedia.org/wiki/ISO_31000 http://en.wikipedia.org/wiki/ISO_31000]
  +
  +
  +
</ref>, where risk is defined as the ‘effect of uncertainty on objectives’ and both positive and negative effects are included. As this definition is of a high conceptual level and can be counter-intuitive, for the purpose of this wiki, the definition as mentioned in the introduction will be used.
   
 
== Objective and subjective risk ==
 
== Objective and subjective risk ==
Line 19: Line 30:
   
 
=== The estimation of likelihood in security ===
 
=== The estimation of likelihood in security ===
The use of probability relies on the ability to make reliable predictions. This is most often based on the analysis of past occurrences and identification of trends. When determining risk in the field of threats related to human intent, the use of trend analysis to determine likelihood is criticised<ref name="ftn1"> Add reference
+
The use of probability relies on the ability to make reliable predictions. This is most often based on the analysis of past occurrences and identification of trends. When determining risk in the field of threats related to human intent, the use of trend analysis to determine likelihood is criticised<ref name="ftn2"> Add reference
   
   
Line 26: Line 37:
 
* these events occur relatively infrequently, making the recognition of trends difficult;
 
* these events occur relatively infrequently, making the recognition of trends difficult;
 
* in contrast to for instance natural threats, the results of past events does influence the likelihood of future events: potential perpetrators will actively seek ‘the weakest link’. This means that the predicting value of trends in past occurrences is in doubt.
 
* in contrast to for instance natural threats, the results of past events does influence the likelihood of future events: potential perpetrators will actively seek ‘the weakest link’. This means that the predicting value of trends in past occurrences is in doubt.
  +
  +
A way to overcome these problems is to substitute ''attractivity'' for probability and ''conceivability'' for vulnerability. In this way, assumptions about historical data predicting future events can be avoided.
  +
  +
=== Uses of risk assessment ===
  +
t.b.d.
  +
  +
== Sources of risk ==
  +
One way to typify types of risk, is by their causes. A cause for risk is called a threat. Threats can be classified into [_Safety_1 safety] threats, consisting of Natural threats, Human failure, Technical failure, Failure of Critical Services and security threats which are due to Human Intent.
  +
  +
== Related subjects ==
  +
t.b.d.
  +
   
   

Revision as of 17:03, 28 February 2012

Risk

Introduction

Risk is a measure for the expectation of undesirable outcome (impact) to realise. This expectation concerns both the likelihood and magnitude of the undesired outcome. Quantified levels of risk are often used to enable an assessment of risk in order to establish if they fall within acceptable limits or to determine which risks pose the highest threat.

Definitions

There is no one, universally accepted definition for risk. A prominent definition of risk is provided in the ISO 31000:2009 risk management standard where risk is defined as the ‘effect of uncertainty on objectives’ and both positive and negative effects are included. As this definition is of a high conceptual level and can be counter-intuitive, for the purpose of this wiki, the definition as mentioned in the introduction will be used.

Objective and subjective risk

Risk

Introduction

Risk is a measure for the expectation of undesirable outcome (impact) to realise. This expectation concerns both the likelihood and magnitude of the undesired outcome. Quantified levels of risk are often used to enable an assessment of risk in order to establish if they fall within acceptable limits or to determine which risks pose the highest threat.

Definitions

There is no one, universally accepted definition for risk. A prominent definition of risk is provided in the ISO 31000:2009 risk management standard[1], where risk is defined as the ‘effect of uncertainty on objectives’ and both positive and negative effects are included. As this definition is of a high conceptual level and can be counter-intuitive, for the purpose of this wiki, the definition as mentioned in the introduction will be used.

Objective and subjective risk

Risk assessment

Although terminology may vary, two widely accepted elements in the definition of risk are the inclusion of likelihood and magnitude and to a lesser extent, the fact that to arrive at a measure of risk, the two should be multiplied.

A simple, but widely used definition of risk is therefore

Risk = Likelihood of event realizing X Impact (expected loss in case the accident realizes).

Many variations exist, for example by distinguishing between the probability of a threat realizing (also called probability) and the probability that that threat will affect an object (vulnerability). An example would be storm damage: the probability would reflect the likelihood of a storm at the object, the vulnerability would reflect the likelihood that this storm would cause damage and the impact would reflect the extent of damage that would occur if the storm would cause damage. The quantified risk formula associated with this definition is

Risk = Likelihood of event realizing X vulnerability (probability of realized event impacting object) X Impact (expected loss in case the accident realizes and impacting object).

The estimation of likelihood in security

The use of probability relies on the ability to make reliable predictions. This is most often based on the analysis of past occurrences and identification of trends. When determining risk in the field of threats related to human intent, the use of trend analysis to determine likelihood is criticised[2] for threats actively seeking harm (for example terrorism). This is due to the fact that

  • these events occur relatively infrequently, making the recognition of trends difficult;
  • in contrast to for instance natural threats, the results of past events does influence the likelihood of future events: potential perpetrators will actively seek ‘the weakest link’. This means that the predicting value of trends in past occurrences is in doubt.

A way to overcome these problems is to substitute attractivity for probability and conceivability for vulnerability. In this way, assumptions about historical data predicting future events can be avoided.

Uses of risk assessment

t.b.d.

Sources of risk

One way to typify types of risk, is by their causes. A cause for risk is called a threat. Threats can be classified into [_Safety_1 safety] threats, consisting of Natural threats, Human failure, Technical failure, Failure of Critical Services and security threats which are due to Human Intent.

Related subjects

t.b.d.