Tag Archives: expected utility

Why the “Risk = Threat x Vulnerability x Impact” Formula is Mathematical Nonsense — Part 2

– In my last post, I argued that security risk managers should stop using the “Risk = Threat x Vulnerability x Impact” formula (hereafter, the “R=TVC formula”), for two reasons. First, the variables “Threat” and “Vulnerability” are typically undefined; indeed,…

Why the “Risk = Threats x Vulnerabilities x Impact” Formula is Mathematical Nonsense

– Every now and then I will find a security practitioner presenting the following formula when discussing information security risk analysis (ISRA). Risks = Threats x Vulnerabilities x Impact In some versions of this formula, the word “Consequence” is sometimes substituted for…