[Note: I decided to write this to clarify my thoughts on how risk is calculated in response to a question I have about Wade Baker's pseudo-risk calculation in the Verizon Data Breach Investigations Report (DBIR). This may be useful to others still working through the details of risk.]
The first and only necessary component of risk is likelihood. Likelihood is driven by the uncertainty of which outcome within a set of possible outcomes will occur for any single event. Some of those are wanted, and some unwanted by those involved in decisionmaking (I use the word “unwanted” instead of “negative” to cover a broader set of outcomes and address the fact that there are varying opinions about what is unwanted. If the mix of unwanted outcomes is not random or equally distributed (e.g. 2 possible outcomes each happening half the time, or 3 outcomes each happening 1/3 of the time), we use past frequencies of outcomes to inform our beliefs about future risks. The portion of unwanted outcomes out of the total population of outcomes is our likelihood number which corresponds to risk when dealing with potential losses.
The other component of risk involves consequences. I noted above that likelihood is the only necessary component of risk. That is because we often suggest that in order to quantify risk we must quantify our consequences as well, but this isn’t the case. Since we are identifying unwanted outcomes anyway, in many cases we implicitly understand the value or loss involved, even if we don’t quantify it in dollar (or other currency) terms. Not only that, but we can quantify consequences in other ways that are available in whatever circumstances are being evaluated. Whatever numbers we use, they constitute the total number of units in the population of outcomes. In IT security, that might be total endpoints or total number of records or total value of the assets, for example.
When we do have a number to express consequences, we use the risk (estimated using previous frequencies as a starting point) or likelihood expressed as a percentage of total outcomes to discount the total population. This is simply an expected value calculation.
Take for example a sales pipeline. The value of a sales pipeline for a company is the likelihood of closing a deal (making a sale) multiplied by the total possible amount of the deal itself. This likelihood number is a discount factor used to reduce the amount in question based on the risk involved. So a $100,000 deal with a 70% likelihood of closing is worth $70,000 in the pipeline. Risk is like the inverse of the pipeline numbers, since the pipeline measures positive outcomes and risk measures negative (unwanted) ones.
The final outcome of a risk calculation may be
- the probability itself, qualified by what is meant in terms of consequences,
- the portion of the population that is expected to be affected by the unwanted outcome (using the likelihood as a discount factor for the total population), or
- the “value-at-risk” (VaR) expressed in monetary terms (our universal unit of costs or losses) that involves translating the number derived in the previous measure into currency units.