Risk Overview

Risk management is undoubtedly a concept you already understand and practice. In your everyday lives, you’re constantly assessing risk. You’re thinking about things like whether it's safe to fly today? Is this something I should eat? Or should I trade a stock? Here, we ask whether it's safe to pet a dinosaur? Regardless of the question, you are likely doing some rough calculation of risk based on prior experience. In theory, you make a final decision about how to act based on the risk and a perceived benefit. Let’s talk about the dinosaur, for instance. Your head probably tells you trying to pet a dinosaur is a bad idea, but wouldn’t it be amazing to tell your friends that you actually pet a dinosaur? What would you do? Your decision tells us what your risk tolerance is for petting a dinosaur.

Let’s stick with the dinosaur for just a moment. If you are assessing risk associated with petting a dinosaur, the action of petting the dinosaur is probably not the risk you’re actually evaluating. The risk is probably a different question. Will the dinosaur bite me? You would probably be assessing the likelihood and the impact of a dinosaur bite. How likely is it that the dinosaur would bite me? How devastating would that bite be? That is how we measure risk. Risk is the function of (likelihood x impact).

Now, fast forwarding from the Mesozoic era to the 16th century, we start to see an appreciation for the measurement of risk as mathematicians begin to calculate “chance” or probability of occurrence related to dice and card games and by the mid-17th century, Blaise Pascal co-develops the first Theory of Probability. This is noteworthy because probability is seeded in mathematics and probability is the basis for risk management in many industries. Likelihood roughly equates to probability. It's also noteworthy because those same mathematical principles don’t necessarily apply to security risk management. It's this that makes security risk management somewhat controversial.