Risk=ProbOfLoss(threat,vulnerability, countermeasures, …) * AssetValue.

In this more accurate formula, you can have a zero threat, but still have a non-zero probability of loss.

Risk = ((Vulnerability X Threat) / Countermeasures) X Asset value

As I see it, this formula only serves the purpose of making us aware of the factors — quantifying them and calculate the risk as a number is quite difficult, if not impossible.

Likelihood defined that way, to me, has limited meaning in the context of security events (how often does an attack without response occur just once?).

Second If I grant you that we break R down that way, What do you mean by “the probability of Threat” and “the Probability of Vulnerability”?

I’m not being facetious, I’d really like to know, because those probabilities have no meaning to me unless you have a more specific definition.

Likelihood defined that way, to me, has limited meaning in the context of security events (how often does an attack without response occur just once?).

Second If I grant you that we break R down that way, What do you mean by “the probability of Threat” and “the Probability of Vulnerability”?

I’m not being facetious, I’d really like to know, because those probabilities have no meaning to me unless you have a more specific definition.

Risk is the likelihood of loss — a probability number between 0 and 100. So TxV are the components of that probability number (leave consequences out of it for now). And if we actually have probability of threat and probability of vuln, then you multiply probabilities together to get the risk. If T or V is 0, then the total risk is 0.

What is the logic of multiplying Threat times Vulnerability?

Then, what is the logic of multiplying by Asset?

I don’t think it is a problem at all to say that R/(A*V) “is the same as” T so we must be thinking differently there. I also think that the ordinal/interval number thing is a red herring. I would rather have absolute numbers, but I can live with someone prioritizing using a scale.

I should clarify – my preference is to think of risk as a function of threats, vulns, and consequences. Then, I make consequences qualitative (e.g. owning a system) so that threats and vulns consist of a probability. Finally, I think of T and V as percentage of bad flows, sessions, program operations, transactions.

That said, I don’t see anything wrong with Richard’s logic and I generally use it myself in a quick analysis.

If you can provide an example using risk assessments (and not calendar dates) where this is obviously “stupid”, I would appreciate it.

It’s 5am and I’ve not had my coffee so this may be a little rough, but take a second and play with that equation using basic algebra. You’ll get all sorts of nice things like 1/T*R=A*V and such.

As you do it, focus on the “=” sign and it’s meaning – a nice test is to not say “equals to” but to say “is the same as”. I think you’d have a tough time suggesting that Threat “is the same as” R/A*V. But if that equation is logical – then that should be true.

But the stupidity of that equation is just one part of the problem. Then using “0″ as part of your ordinal or interval scale and then plugging that somewhere into that equation – things just become even sillier.