Two instances discussing "risk" caught my eye last night:

1. 60 Minutes was doing a story last night on the TJ Maxx data theft. They displayed an email regarding WEP/WPA differences from Paul Butka, CIO for TJX, to Lou Julian, an IT employee, dtd 11/25/05:

"so???

would you defer?
do you think the risk is likely? and also likely to be significant/material?

pb"

(Two asides on the 60 Minutes piece: 1) there is a demo on an auction site where someone is selling four full identities for $100 total… 2) they tied over $1 million in theft to the TJX breach. In the past, the courts have been clear that it takes more than coincidental timing to prove causation, so I wonder what evidence they have. Given the magnitude of the loss and the period of time in question, a large number of these credit card numbers would have been compromised anyway.)   

2. An eWeek article on the TJX incident also suggests:

The documents are intended to show that TJK [sic] management knew of the risks of not upgrading, but delayed anyway, to save money.

The ambiguous usage of the word "risk" are well documented by Paul Slovic in, for example, "Perception of Risk Posed by Extreme Events" and these two instances seem to follow.

In the first instance, Mr. Butka appears to be seeking greater than 50% probability of compromise – for something to be "likely" I think it should at least be "more likely than not". I suspect he didn’t intend this, and in any case nobody could answer without some idea of his time horizon. He also hints at some notion of consequences in the next line when he asks about materiality associated with the risk. At least he uses the risk equation.

The second instance really uses the word "risk" in place of "possibility" – nobody really "knows"  what the  probability of compromise is (or was) in this scenario. I suspect that this "risk" was probably extremely low, perhaps with a lower expected value than the cost of upgrading would justify, but TJX happens to be that outlier.

It will be interesting to see how this plays out. Previous court cases (e.g. Brazos vs. Guin) have required some quantification of risk in order to demonstrate the increased likelihood of future damages, but in this case there appears to be actual evidence of damage caused by the breach.

If the outcome suggests that simply knowing about possibilities is enough to somehow understand the probabilities, we’re all in trouble.