In a recent post to his blog, Jack Jones asks, “What’s ‘a risk’ anyway?” This is a great question, especially since a lot of people working in information security seem to use the word in a variety of ways, ways that often violate common usage among risk professionals. Perhaps this is because many information security professionals are unaware that the concept of risk and the techniques for analyzing it were developed long before the rise of information security as a profession. The reality is that information security is (relatively speaking) a newcomer to the risk analysis field, and other disciplines have much better defined models and techniques that we as infosec professionals could benefit from.
For that reason, I propose that to find the answer we take an interdisciplinary approach and look outside the field of information security. Let us begin with a foundational term, “hazard.” A hazard is an outcome that constitutes a source of danger. A risk is a situation in which more than one outcome is possible (and hence not certain), and at least one outcome involves a hazard.
Jack states that, if asked to provide a list of key risks within their scope of responsibilities, many infosec professionals would answer with a list of issues. I think this is probably correct. The problem, he says, is that such lists make it difficult to measure, compare, and/or prioritize issues. Again, I agree. The only point I would add is that it is sometimes difficult to measure, compare, and/or prioritize ‘real’ risks (i.e., items that are a function of both probability and impact) . Different risks may have qualitatively different types of impacts (e.g., monetary loss, inconvenience, loss of life, etc.). And, as Nicholas Rescher pointed out long ago, it’s far from obvious that there is a common unit of measurement we can use to compare such risks. We may have to measure the risks of different hazard types using different units of measurement, just as we use different units of measurement for lengths, temperatures, and weights (Rescher, Risk, pp. 20-21).