Risk
Contents
Introduction
Risk is a measure for the expectation of undesirable outcome impact to realise. This expectation concerns both the likelihood and magnitude of the undesired outcome. Quantified levels of risk are often used to enable an assessment of risk in order to establish if they fall within acceptable limits or to determine which risks pose the highest threat.
Definitions
There is no one, universally accepted definition for risk. A prominent definition of risk is provided in the ISO 31000:2009 risk management standard [1], where risk is defined as the ‘effect of uncertainty on objectives’ and both positive and negative effects are included. As this definition is of a high conceptual level and can be counter-intuitive, for the purpose of this wiki, the definition as mentioned in the introduction will be used.
Objective and subjective risk
Risk assessment
Although terminology may vary, two widely accepted elements in the definition of risk are the inclusion of likelihood and magnitude and to a lesser extent, the fact that to arrive at a measure of risk, the two should be multiplied. A simple, but widely used definition of risk is therefore
Risk = Likelihood of event realizing X Impact (expected loss in case the accident realizes).
Many variations exist, for example by distinguishing between the likelihood of a threat realizing (also called probability) and the likelihood that that threat will affect an object (vulnerability). An example would be storm damage: the probability would reflect the likelihood of a storm at the object, the vulnerability would reflect the likelihood that this storm would cause damage and the impact would reflect the extent of damage that would occur if the storm would cause damage. The quantified risk formula associated with this definition is
Risk = Likelihood of event realizing X vulnerability (probability of realized event impacting object) X Impact (expected loss in case the accident realizes and impacting object).
The estimation of likelihood in security
The use of probability relies on the ability to make reliable predictions. This is most often based on the analysis of past occurrences and identification of trends. When determining risk in the field of threats related to [#_Human_intent human intent], the use of trend analysis to determine likelihood is criticised[2] for threats actively seeking harm (for example terrorism). This is due to the fact that
- these events occur relatively infrequently, making the recognition of trends difficult;
- in contrast to for instance natural threats, the results of past events does influence the likelihood of future events: potential perpetrators will actively seek ‘the weakest link’. This means that the predicting value of trends in past occurrences is in doubt.
A way to overcome these problems is to substitute attractivity for probability and conceivability for vulnerability. In this way, assumptions about historical data predicting future events can be avoided.
Uses of risk assessment
t.b.d.
Sources of risk
One way to typify types of risk, is by their causes. A cause for risk is called a [#_Threat threat]. Threats can be classified into safety threats, consisting of [[natural threats], human failure, technical failure, failure of critical services and security threats which are due to human Intent.
Related subjects
t.b.d.
references
- ↑ [See: http://en.wikipedia.org/wiki/ISO_31000]
- ↑ Add reference