Difference between revisions of "Risk"

From Securipedia
Jump to navigation Jump to search
Line 1: Line 1:
 
= Risk =
'''Risk''' is a measure for the expectation of undesirable outcome ([#_Impact impact]) to realise. This expectation concerns both the [#_Likelihood likelihood] and magnitude of the undesired outcome. Quantified levels of risk are often used to enable an assessment of risk in order to establish if they fall within acceptable limits or to determine which risks pose the highest threat.
  
  +
== Introduction ==
 
'''Risk''' is a measure for the expectation of undesirable outcome (impact) to realise. This expectation concerns both the likelihood and magnitude of the undesired outcome. Quantified levels of risk are often used to enable an assessment of risk in order to establish if they fall within acceptable limits or to determine which risks pose the highest threat.
   
= Definitions =
 +
== Definitions ==
 
There is no one, universally accepted definition for risk. A prominent definition of risk is provided in the ISO 31000:2009 risk management standard where risk is defined as the ‘effect of uncertainty on objectives’ and both positive and negative effects are included. As this definition is of a high conceptual level and can be counter-intuitive, for the purpose of this wiki, the definition as mentioned in the introduction will be used.
   
 
== Objective and subjective risk ==
There is no one, universally accepted definition for risk. A prominent definition of risk is provided in the ISO 31000:2009 risk management standard[#_ftn1 ], where risk is defined as the ‘effect of uncertainty on objectives’ and both positive and negative effects are included. As this definition is of a high conceptual level and can be counter-intuitive, for the purpose of this wiki, the definition as mentioned in the introduction will be used.
  
 
== Risk assessment ==
  +
Although terminology may vary, two widely accepted elements in the definition of risk are the inclusion of likelihood and magnitude and to a lesser extent, the fact that to arrive at a measure of risk, the two should be multiplied.
   
  +
A simple, but widely used definition of risk is therefore
= Objective and subjective risk =
  
   
  +
'''Risk''' = '''Likelihood''' of event realizing '''X''' '''Impact''' (expected loss in case the accident realizes).
= Risk assessment =
  
   
Although terminology may vary, two widely accepted elements in the definition of risk are the inclusion of likelihood and magnitude and to a lesser extent, the fact that to arrive at a measure of risk, the two should be multiplied.<br /> A simple, but widely used definition of risk is therefore <br />'''Risk''' = '''Likelihood''' of event realizing '''X''' '''Impact''' (expected loss in case the accident realizes).<br /> Many variations exist, for example by distinguishing between the probability of a threat realizing (also called probability) and the probability that that threat will affect an object ([#_Vulnerability vulnerability]). An example would be storm damage: the probability would reflect the likelihood of a storm at the object, the vulnerability would reflect the likelihood that this storm would cause damage and the impact would reflect the extent of damage that would occur if the storm would cause damage. The quantified risk formula associated with this definition is<br />'''Risk''' = '''Likelihood''' of event realizing '''X''' '''vulnerability''' (probability of realized event impacting object) '''X''' '''Impact''' (expected loss in case the accident realizes and impacting object).
 +
Many variations exist, for example by distinguishing between the probability of a threat realizing (also called probability) and the probability that that threat will affect an object (vulnerability). An example would be storm damage: the probability would reflect the likelihood of a storm at the object, the vulnerability would reflect the likelihood that this storm would cause damage and the impact would reflect the extent of damage that would occur if the storm would cause damage. The quantified risk formula associated with this definition is
   
  +
'''Risk''' = '''Likelihood''' of event realizing '''X''' '''vulnerability''' (probability of realized event impacting object) '''X''' '''Impact''' (expected loss in case the accident realizes and impacting object).
== The estimation of likelihood in security ==
  
   
 
=== The estimation of likelihood in security ===
The use of probability relies on the ability to make reliable predictions. This is most often based on the analysis of past occurrences and identification of trends. When determining risk in the field of threats related to [#_Human_intent human intent], the use of trend analysis to determine likelihood is criticised[#_ftn2 ] for threats actively seeking harm (for example terrorism). This is due to the fact that
 +
The use of probability relies on the ability to make reliable predictions. This is most often based on the analysis of past occurrences and identification of trends. When determining risk in the field of threats related to human intent, the use of trend analysis to determine likelihood is criticised<ref name="ftn1"> Add reference
   
* these events occur relatively infrequently, making the recognition of trends difficult;
  
* in contrast to for instance natural threats, the results of past events does influence the likelihood of future events: potential perpetrators will actively seek ‘the weakest link’. This means that the predicting value of trends in past occurrences is in doubt.
  
   
  +
</ref> for threats actively seeking harm (for example terrorism). This is due to the fact that
A way to overcome these problems is to substitute [#_For_Human_intent ''attractivity''] for probability and [#_For_intentional_threats ''conceivability''] for vulnerability. In this way, assumptions about historical data predicting future events can be avoided.
  
   
 
* these events occur relatively infrequently, making the recognition of trends difficult;
== Uses of risk assessment ==
  
 
* in contrast to for instance natural threats, the results of past events does influence the likelihood of future events: potential perpetrators will actively seek ‘the weakest link’. This means that the predicting value of trends in past occurrences is in doubt.
 
t.b.d.
  
 
= Sources of risk =
  
   
One way to typify types of risk, is by their causes. A cause for risk is called a [#_Threat threat]. Threats can be classified into [#_Safety_1 safety] threats, consisting of [#_Natural_threats Natural threats], [#_Human_failure Human failure], [#_Technical_failure Technical failure], [#_Failure_of_critical Failure of Critical Services] and [#_Security security] threats which are due to [#_Human_intent Human Intent].
  
   
= Related subjects =
  
   
  +
----
t.b.d.
  
  +
<references/>

Revision as of 17:55, 28 February 2012

Risk

Introduction

Risk is a measure for the expectation of undesirable outcome (impact) to realise. This expectation concerns both the likelihood and magnitude of the undesired outcome. Quantified levels of risk are often used to enable an assessment of risk in order to establish if they fall within acceptable limits or to determine which risks pose the highest threat.

Definitions

There is no one, universally accepted definition for risk. A prominent definition of risk is provided in the ISO 31000:2009 risk management standard where risk is defined as the ‘effect of uncertainty on objectives’ and both positive and negative effects are included. As this definition is of a high conceptual level and can be counter-intuitive, for the purpose of this wiki, the definition as mentioned in the introduction will be used.

Objective and subjective risk

Risk assessment

Although terminology may vary, two widely accepted elements in the definition of risk are the inclusion of likelihood and magnitude and to a lesser extent, the fact that to arrive at a measure of risk, the two should be multiplied.

A simple, but widely used definition of risk is therefore

Risk = Likelihood of event realizing X Impact (expected loss in case the accident realizes).

Many variations exist, for example by distinguishing between the probability of a threat realizing (also called probability) and the probability that that threat will affect an object (vulnerability). An example would be storm damage: the probability would reflect the likelihood of a storm at the object, the vulnerability would reflect the likelihood that this storm would cause damage and the impact would reflect the extent of damage that would occur if the storm would cause damage. The quantified risk formula associated with this definition is

Risk = Likelihood of event realizing X vulnerability (probability of realized event impacting object) X Impact (expected loss in case the accident realizes and impacting object).

The estimation of likelihood in security

The use of probability relies on the ability to make reliable predictions. This is most often based on the analysis of past occurrences and identification of trends. When determining risk in the field of threats related to human intent, the use of trend analysis to determine likelihood is criticised[1] for threats actively seeking harm (for example terrorism). This is due to the fact that

  • these events occur relatively infrequently, making the recognition of trends difficult;
  • in contrast to for instance natural threats, the results of past events does influence the likelihood of future events: potential perpetrators will actively seek ‘the weakest link’. This means that the predicting value of trends in past occurrences is in doubt.


  1. Add reference
Retrieved from "https://securipedia.eu/index.php?title=Risk&oldid=23"