Too many organisations fail to understand what risk really means and, thus, how to perform a risk assessment.
This was the conclusion of a Computer Weekly article written by security consultant Mike Barwise over a decade ago, but his argument is unfortunately as true now as it was at the time.
“Measures of likelihood are generally built around statements such as ‘twice a week’ or ‘once in three years’,” Barwise writes, “which lead us to confuse statistical probability with the realities of event occurrence in the operational context.”
“A general lack of statistical expertise among practitioners causes us to miss the point that statistical probability is not the whole story.”
Barwise defines risk as the “combination of possibility and danger”. As such, the risk assessment needs to determine both of these factors – how dangerous the threat is, and the likelihood of it happening.
Many IT risk assessments fail because organisations do not understand this, Barwise writes, with the concept of ‘likelihood’ causing the most issues. He compares determining the possibility of a data breach to predicting the outcome of a coin toss.
“Given a perfectly balanced coin, over a large number of tosses we would expect heads to come up half the time (a probability of 0.5). But this says absolutely nothing about whether heads will come up next.
“Similarly, a probability of a given IT security breach occurring ‘once in five years’ does not mean it will not happen twice next Tuesday.”
Because this appears so illogical, Barwise says that risk assessors – unaware of how subjective their decision-making is – don’t take necessary precautions to protect their organisation in light of the risk assessment.
Simple risk management with vsRisk
Getting the risk assessment right can be hard, particularly when organisations don’t fully grasp the threats they face. That is why we offer vsRisk™, a flexible and adaptable risk assessment tool. Users can customise the risk criteria, calculation formula and impact/likelihood scale. Alternatively, they can choose from our default options.
Book your vsRisk demo
We offer live, one-to-one demonstrations with our support team at a time and date that’s convenient for you. Each demonstration gives an overview of the key features in vsRisk and helps you understand how the software can benefit your organisation.