« Quantifying Risk | Main | Risk as a Lagging Indicator »

Low-Probability Events

One of the questions that arose from my talk about risk concerned low probability events. Since I advocate using historic information to model risk, a low probability event may not get counted, since most enterprises haven't experienced one yet. To make matters worse, the low-prob event is often also a high impact one - the loss is higher than your average security incident, sometimes by far.

The key to calculating the probability of these events is simple: aggregated information. In the same way people "defy the odds" to win the lottery, companies (presumably not yours) also get hit with low-prob events. In keeping with my approach, then, we need to calculate the probability based on all events. So, we are more likely to be successful in calculating this probability if we share data.

This circumstance also highlights a challenge for security professionals - you may consider simply tolerating the risk. (Here's a thought: we are likely doing this anyway, unless you believe you are impervious to compromise.)

February 17, 2006 in Metrics |

TrackBack

TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a00d8345207f669e200e55081ed0f8833

Listed below are links to weblogs that reference Low-Probability Events:

Comments

Verify your Comment

Previewing your Comment

Posted by:  | 

This is only a preview. Your comment has not yet been posted.

Working...
Your comment could not be posted. Error type:
Your comment has been posted. Post another comment

The letters and numbers you entered did not match the image. Please try again.

As a final step before posting your comment, enter the letters and numbers you see in the image below. This prevents automated programs from posting comments.

Having trouble reading this image? View an alternate.

Working...

Post a comment