Low-Probability Events

One of the questions that arose from my talk about risk concerned low probability events. Since I advocate using historic information to model risk, a low probability event may not get counted, since most enterprises haven’t experienced one yet. To make matters worse, the low-prob event is often also a high impact one – the loss is higher than your average security incident, sometimes by far.

The key to calculating the probability of these events is simple: aggregated information. In the same way people "defy the odds" to win the lottery, companies (presumably not yours) also get hit with low-prob events. In keeping with my approach, then, we need to calculate the probability based on all events. So, we are more likely to be successful in calculating this probability if we share data.

This circumstance also highlights a challenge for security professionals – you may consider simply tolerating the risk. (Here’s a thought: we are likely doing this anyway, unless you believe you are impervious to compromise.)