Thank 8) Sem’on.

The folks at Verizon are doing a great job with their Data Breach Investigation Reports. Their latest edition is their second and it warrants a thorough review. My biggest concern involves their “pseudo-risk” calculation. Regardless of whether it is pr…

Now, on to “pseudo-risk”…

Pete

You’re right. A “qualified” consequence statement can be very useful. You said early in the post, however, that frequency was the only necessary component, which was what I was disagreeing with.

So, are we in agreement that some statement of consequence significance is necessary for a risk statement?

Thanks,
Jack

I think we are getting ahead of ourselves here… Don’t forget that qualitative risk analysis is alive and well and employ risk statements all the time.

I don’t see how the info provided above and also books such as “Calculated Risks” by Gerd Gigerenzer and “Risk!” from the folks at the Harvard Center for Risk Analysis can all have it wrong. They rarely, if ever, quantify consequences.

I guess I misunderstood your question. Sorry.

I can’t argue with the notion of not quantifying consequences — but it isn’t then a risk statement. It’s a likelihood/frequency statement, and they aren’t the same thing. Without at least roughly quantified consequences, we can’t understand the true significance of an issue. We also sure as heck can’t compare the significance of on issue where consequences have been quantified with one where it hasn’t.

Thanks,
Jack

You don’t really answer my question, but I agree with your allusion that there are varying magnitudes of consequences that are worth paying attention to.

I think we are much more likely to ignore the likelihood, not the consequence.

I guess I should continue to repeat myself that I think quantifying consequences is better than not doing it, but I think it is still legitimate not to do it.

Thanks,

Pete

Perhaps here’s an answer to your question about the medical use-case: Not all heart attacks are fatal, not all cancer kills. Our industry’s tendency to avoid quantification of consequence, and often to assume worst-case, is a key contributor to our “chicken little” image.

As for how to arrive at a well-reasoned probable loss magnitude estimate, there are methods and principles that make it feasible — and not as difficult as we tend to make it out to be. For one thing, you need to get the appropriate SME’s involved (and they ain’t the infosec team). It also helps to use an effective taxonomy for loss. Last but not least, there’s more data available than we tend to recognize — you just need to know where to look (which the taxonomy helps with). Will the estimates be precise? No. Will they be accurate and useful? Yes.

Thanks,
Jack

Yours is certainly a reasonable opinion to have, but I wonder if you are a victim of your own experience. The literature on risk is much, much broader than simply its use in insurance, so why must everyone conform to your model?

I should note that I agree that quantifying losses in dollars (or other currency) is more beneficial, however, there are many skeptics in the infosec world that believe information asset value (and corresponding losses) cannot be quantified very well.

I would love to understand whether you think the medical community is using the term incorrectly when they talk about, for example, the risk of heart attack.

Neither you nor Chris have addressed this use case.

Thanks,

Pete

[Btw, what does profit have to do with this issue?]