Finding The Hidden InfoSec Story

The Tower of Babel and the Vocabulary of Risk Management


The Book of Genesis (11:7) says:

““The whole world spoke the same   language, using the same words”… confuse their language so that one does not understand what another says.”

The fact is that terms such as: potential, chance, probability, likelihood, uncertainty and risk are used interchangeably, often incorrectly. The non-specialist needs to be aware of this to avoid confusion.

Probability: An estimate of how likely an event or series of events is likely to happen, can be calculated using mathematical models that require data that meets specific conditions.  Surprisingly, a simple statement such as: “the chance of rain tomorrow is 30%,” means different things to individuals (including bizarre interpretations such as 3 out of 10 meteorologists agree.)

Chance is often used as a synonym for probability. So is likelihood. In the context of information security, it means that there are no means to assign a number to it. Instead, practitioners use levels such as Low, Medium and High supported by “educated guesses”.

Key point: probabilities apply to large groups of comparable items. For an individual, the applicable concept is uncertainty.

Uncertainty: Having knowledge so limited that is impossible to describe a future outcome. For example,

Key point: uncertainty is what individual organisations and/or individuals deal with. Statistics may tell you at age 40 that the probability of reaching retirement age is 85%. However this is no guarantee that you will apply to you as an individual.

Risk:

ISO 31000-2009, an international standard, defines risk as: “the effect of uncertainty on objectives. It includes negative and positive impacts on objectives.

Back to the Tower of Babel: there are several other definitions of risk. Information security, risk is defined in the international standard ISO 2700-2008 as “the potential that a given threat will exploit vulnerabilities of an asset or group of assets and thereby cause harm to the organization.”

Reading both definitions illustrates why the subject is confusing and why different domains of risk (medical, financial, occupational hazard, etc.) rely on different approaches to risk management.

 

Author: Ed Gelbstein

Share This Post On