Goal 1. Exorcise the word "risk" from the infosec profession, unless its qualified with an adjective, for example Marty Whitman in "Distress Investing":
'Risk is not a meaningful concept unless modified by an adjective. There exist market risk, investment risk, Chapter 11 reorganization risk, credit risk, failure to match maturities risk, hurricane risk, terrorism risk, and so forth; but it not really useful to look at general risk. When risk is discussed in conventional academic finance, the subject is almost always market risk (i.e. fluctuations in market prices). Beta, alpha, and the capital asset pricing model (CAPM) are based on market prices. We ignore market risk and focus on investment risk, especially in distress investing (i.e. the probabilities of something going wrong with the company and/or the securities issued by the company).As often as the word "risk" is used in the infosec profession, there is almost no consistency in how its used, so whenever you hear someone say we should or should not do something because its risky ask them what type of risk? Project risk, financial risk, availability risk, throughput risk, reputation risk, and so on. A little more clarity will go a long way to producing a higher resolution exchange.For us there is no risk-reward ratio. A risk-reward ratio exists where price is in equilibrium. In that instance, risk and reward for securities are measured by two variables:
1. Quality of the issuer.
2. Terms of the issue.The higher the quality and the more senior the terms, the less the risk and the smaller the potential for gain. Introducing price turns the risk-reward ratio on its head. The lower the price, the less the risk of loss and the greater the prospect for gain.'
You know, I used to want to fight that fight, but there really are up to 12 different definitions of risk in the dictionary (depending on which one you use).
These days, I try not to say risk, period. I qualify it with descriptors (frequency, dollar losses, a specific threat action, etc).
Posted by: Alex | December 18, 2009 at 12:02 PM
Yes, absolutely and positively. This was the point of my "BeFUDdled by Risk" post last month, in fact, and exactly the reason I took issue with a certain analyst's desire to dismiss Mac malware as being (universally) a "low risk". Context is everything.
http://www.secureconsulting.net/2009/11/befuddled_by_risk.html
Posted by: Ben | December 18, 2009 at 01:26 PM
And while we are at it, let's stop using "security" with no context.
Posted by: Robert David Graham | December 18, 2009 at 06:15 PM
Security and Risk are tools to confuse management.
Posted by: Marinus | December 29, 2009 at 10:48 AM