05-18-2006, 10:59
Join Date: Feb 2004
Location: Tampa
Posts: 221
Originally Posted by The Reaper
The way we do risk assessment in the Army is to compare the likelihood to the potential severity to obtain a level of risk and then in the case of higher risk activities, attempt to mitigate it.

I strongly suspect that this was a civilian industry practice we adopted, it has its pros and cons. TR
Yes, the civilian equivalent with respect to risk management uses a formula based on ALE:

ANNUAL LOSS EXPECTANCY. ALE is the foundation of risk assessment. It is what it sounds like: how much money you expect to lose per year due to some sort of security incident. Note that this is different than the raw cost of an incident (which, remember, you should always keep as a baseline). It's actually the raw cost times the probability of an event in the next year. So the ALE of a security breach that costs $1 million and has a 40 percent chance of happening is:

Incident cost X Probability of incident = ALE
$1,000,000 X 0.4 = $400,000

From a military or non-corporate setting the "incident cost" is replaced by some other measurable variable of value.

This is the simplistic version and you can get into more complex equations, but, at least its the begining process of evaluating risk from a scientific perspective. IMHO, risk management is another tool in the box and is a process which allows you to be better prepared to function as a result of unforeen occurences. However, I've seen folks get so caught up in the process they fail to see the forest. For example, the cost of measuring the process outweighs the actual cost posed by the risk.
