Global Security, Privacy, & Risk Management

Risk 101: An Introduction To Risk April 24, 2011

Risk is inherent in everything people do in life and risk analysis is employed by people every day to make the many decisions.  While many may not realize it, risk analysis is employed by people in making even the most seemingly simple decisions: “Should I bring an umbrella?” or “I don’t think I’ll park my car in this unlit parking lot.”  To understand how these simple questions apply a rather complex analysis, it is important to understand the essential components of risk.

In the most basic sense, Risk can be defined as “…the potential negative impact to some characteristic of value that may arise from a future event, or we can say that “Risks are events or conditions that may occur, and whose occurrence, if it does take place, has a harmful or negative effect.” 

Risk is commonly described as the probability or likelihood of a known loss.  For our purposes, we will define Risk as a function of the following:

The likelihood of an Event occurring and the resulting Impact should the event occur.

Understanding risk and how it applies is critical to minimizing exposure to events and to enabling effective, efficient risk management techniques. While the term ‘risk’ is used frequently within many industries, it is often used erroneously.

Consider the following example. On any given day there is a possibility that a meteorite will crash into a house, likely resulting in the total destruction of the house. While the impact would be a total loss of the house, the likelihood of the event occurring is, we hope, infinitesimally small.

Contrast that with the possibility that the same house could catch fire from an electrical malfunction or other issue. While most home fires do not result in a total loss of the house and the likelihood of the house being completely destroyed is less than if it were hit by a meteor, the probability of the event occurring is much greater. This is why fire insurance is a sound investment and meteor insurance is most likely not.

Many risk models attempt to quantify risk by using monetary values to represent the impact of an event and use a probability of an event occurring during a given year to represent the likelihood.

A basic method of quantifying risk in information security is to multiply the likelihood of an event occurring in a given year (expressed as a probability) by the expected impact (in dollars) should the event be realized.  The calculation can thus be expressed as:

( % of Event A occurring) X ($ Impact should Event A be realized) = Annualized Loss Expectancy (ALE)

Applying this model assume there is a 5% probability that an event will occur in a given year and the estimated damage will be $10,000. In this scenario the Annualized Loss Expectancy (ALE) is calculated at $500 per year (5% x $10,000). This is the basic premise, though certainly there are much more advanced actuarial data and more sophisticated models on which insurance premiums are based. In a perfect world, actuarial and other information would be available to allow people to evaluate Risk with a great degree of accuracy.  In the world in which we live, it is rarely quite that simple.

Identifying the potential events and estimating their likelihood and expected loss is difficult.  These concepts will be covered in later blog posts.