Risk is Not a Primary Metric

“Risk” is not a primary metric.

What do I mean by that?
Primary metrics you can measure easily.
In physics they are things like length, weight, temperature, time-duration.
Secondary metrics most people can understand: rate of change that we call speed (length as distance and elapsed time).
Some secondary and many tertiary we can understand intellectually, but they have to be tabulated and calculated – acceleration.
Some such as ENTROPY still baffle people.

My experience with managers is that they often confuse risk for any number of things, not least of all simply equating risk to threats.

The again, I’ve met managers who would only commission a TVA if it was a contractual requirement, and then they might just ignore it, or if the contract required it, use it obsessively but with no actual understanding. BTDT.

What matters most to managers are things they can measure. Continue reading Risk is Not a Primary Metric

The Classical Risk Equation

What we had drilled into us when I worked in Internal Audit and when I was preparing for the CISA exam was the following

RISK is the
THREAT will exploit a
VULNERABILITY to cause harm to an

R = f(T, V, A)

Why do you think they are called “TVAs“?

More sensibly the risk is the sum over all the various ..

This isn’t just me sounding off. Richard Bejtlich says much the same thing and defends it from various sources. I can’t do better that he has.
Continue reading The Classical Risk Equation