Chandler Howell over at Not Bad for a Cubicle brings up a very common complaint in the information security arena – that we don’t have some universal unit of measurement (Sprechen Sie Risk?). There are two ways to respond to this problem – First, we can assert that we do have a unit of measurement – the % point, because risk is simply the likelihood that something bad will happen, and "bad" can be anything we want it to be. Secondly, we can simply suggest that it doesn’t really matter – any unit is fine, as long as everyone is clear on it. I have never heard anyone say that they couldn’t understand the risk because the unit of measurement was wrong.
Chandler (who happens to be the only guy who actually showed up in Chicago last week) also has a great quote: "Now in closing, I want all the Project Risk people to repeat after me, “Ignoring the Risk is equivilent (sic) to Accepting the Risk, not Avoiding the Risk!”"
Of course when someone quotes me, it’d be something I’d mis-spelled. Ubiquitious spellcheckers (except in WordPress, obviously) are dulling my edge.
And no link love? I’ve even got a follow-up post! I’d be hurt if you hadn’t bought the beer last week.
More on Universal Measures of Risk
Pete Lindstrom corrected my spelling and offered his own suggestion for a Universal Risk Measure:
There are two ways to respond to this problem – First, we can assert that we do have a unit of measurement – the % point, because risk is simply the li…