While at first glance this definition seems quite reasonable, doubts begin to arise when we reflect upon how to interpret the NIST interval scales numerically. First, since the numerical range of probability values for each of the interval is never defined, it is non-obvious that the NIST definitions are actually correct. Suppose we conservatively assume that “High” interval represents the range of probability values greater than 50%. Does the NIST definition of “High” entail that the probability of the threat-event is more probable than not? Not necessarily; there are may be external factors preventing the threat-source from exploiting vulnerability, factors that have nothing to do with controls that an organization has put into place.
2. Qualitative methodologies “multiply” qualitative probabilities by qualitative impacts in order to arrive at a qualitative risk rating or score. In theory, there is nothing wrong with this. Some qualitative methodologies go a step further, however, and pretend that two or more qualitative risk ratings in the same interval are equal, when in fact they are not equal. For example, two risks may be assigned a “high” risk score because they both have high probability and high business impact (high negative utility). It would be fallacious to assume that the two risk scores are equal, however. For example, suppose that the “High probability” interval represents probability values of 70-100% and the “High impact” interval represents a monetary impact greater than $1M. (As an aside, this is a common problem with many applications of qualitative methodologies — the interval scales are never defined.) Let risk #1 be an outcome with a probability of 70% and an impact of exactly $1M. (We are assuming there are no non-monetary impacts.) Let risk #2 be an outcome with a probability of 90% and an impact of exactly $2M. According to qualitative methodologies (and using the interval scale just provided), both risks would be assigned a “high” risk score. Yet the risk scores are clearly not equal. The expected utility of risk #1 = .7 x $1,000,000 = $700,000. The expected utility of risk #2 = .9 * $2,000,000 = $1,800,000.
Popularity: 10%
