[unisog] Risk analysis

Valdis.Kletnieks@vt.edu Valdis.Kletnieks at vt.edu
Tue Feb 21 09:16:41 GMT 2006

On Tue, 21 Feb 2006 15:48:17 +1100, Leigh Vincent said:

> a value between 1 and 5 for Likelihood of the Risk occurring (1 being
> May never occur & 5 being Is expected to occur)

> Likeilhood: 2 (Could occur at some time)

The problem is that you're using a linear scale rather than logarithmic, so you
really need to scale appropriately. (Also, a "cannot occur" value should be
zero, so when you multiply it out, the risk of something that can't happen
should be, of course, zero).

In order to make the "expected risk" come out sanely, you need do what the
insurance companies do, and work in units like "expected events/year", so when
you multiply it out, an event that is 4 times more likely will generate 4 times
as much risk of loss.

If you assign '5' to a "*will* happen this year" event, then a '2' is saying
"40% chance of happening this year" - and your data center is almost certainly
*not* seeing a 40% chance of getting hit, unless it's in the US Embassy in
Bagdhad or similar.

Assuming that *all* of Australia has a 10% chance of being hit, and there's
1,000 equally likely targets, of which your data center is one, yields a
multiplier of 0.0001 rather than '2'.  Now do the numbers look more reasonable?

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 226 bytes
Desc: not available
Url : http://www.dshield.org/pipermail/unisog/attachments/20060221/8e70999b/attachment.bin

More information about the unisog mailing list