On the one hand there’s the discussions regarding the oh so much needed renewal of ‘risk management’. Trying to drop the ‘heat map’ nonsense and the 3LoD sameness.
On the other, there’s infosec trying to first get rid of all the ‘cyber’ bs (#ditchcyber) and second trying to achieve something against all grains.
On the third hand [like, here], apart from the need to integrate there’s …
A thought about probability. Classical rm talks about risks as a chance of something happening that may impact some objectives
– Of the business kind or not;
– Of the business as a whole or your local ones;
– Either positively xor (only) negatively.
But never ever is there any thought given to the formulation of the chance in time.
When there’s a 10% chance of something going wrong, do you mean tomorrow, next year, or next couple of nanosecondes or what?
Is the chance distributed uniformly over time? How do you take into account probability changes when ‘it’ happens to you tomorrow, or to a competitor, or technology changes, or your (infosec) budget changes [allowing for better mitigation or not – or is that uncorrelated with how you spend ..? think that one through]?
Does your analysis take into account that some mishaps will happen to you as well (or the chance wouldn’t be above absolute zero!) at some point in time; meaning that a. there’s certainty it will happen, b. there’s a chance it will be you that’s hit this time, c. your only real uncertainty is when. Note that b. does include an uncertainty when you don’t define ‘time’ as an interval. Oh and there’s a d. too, being that once you’re hit, it may or may not happen again within that time interval, partially depending on whether you fixed the vulnerability right or not. [Will go study the Weibull distribution now (k>1 and λ=1), and maybe sigmoid distributions.]
And how severe the impact will be, is also quite a grey area of course. Over n dimensions, not just one € amount onto which the dimensions may be projected but then, projection is loss of an enormous kind when it comes to declarative insights let alone normative sames.
Case in point:
The dikes in NL will be breached by a flood, of a one-in-a-ten-thousand-years magnitude. Which may be tomorrow. And next week. Or only after 9.017 years, 2 months and 23 days. Or only after 19.237 years.
But the dikes are still maintained quite well.
Now discuss how global warming may impact these estimates. And how these estimates came about. ‘one-in-a-ten-thousand-years’ …!?
Next up: a discussion on how ‘Operational Risk Management’ misses the mark (among a great many) by not differentiating between actual losses, near misses, and preventative versus detective/corrective controls in a balance with the costs associated with all these.
But first:
[Water conserved, so near the water; Baltimore]
