[unisog] Risk analysis

Leigh Vincent l.vincent at ballarat.edu.au
Tue Feb 21 22:25:40 GMT 2006


But then why have it if it "Cannot Occur"?  Where then do you draw the
line of what risks you would include.  An elephant getting into the
server room would cause major problems, but will never occur??  (Not in
Australia anyway).

>>> Valdis.Kletnieks at vt.edu 02/21/06 8:16 pm >>>
On Tue, 21 Feb 2006 15:48:17 +1100, Leigh Vincent said:

> a value between 1 and 5 for Likelihood of the Risk occurring (1
being
> May never occur & 5 being Is expected to occur)

> Likeilhood: 2 (Could occur at some time)

The problem is that you're using a linear scale rather than
logarithmic, so you
really need to scale appropriately. (Also, a "cannot occur" value
should be
zero, so when you multiply it out, the risk of something that can't
happen
should be, of course, zero).

In order to make the "expected risk" come out sanely, you need do what
the
insurance companies do, and work in units like "expected events/year",
so when
you multiply it out, an event that is 4 times more likely will generate
4 times
as much risk of loss.

If you assign '5' to a "*will* happen this year" event, then a '2' is
saying
"40% chance of happening this year" - and your data center is almost
certainly
*not* seeing a 40% chance of getting hit, unless it's in the US Embassy
in
Bagdhad or similar.

Assuming that *all* of Australia has a 10% chance of being hit, and
there's
1,000 equally likely targets, of which your data center is one, yields
a
multiplier of 0.0001 rather than '2'.  Now do the numbers look more
reasonable?



More information about the unisog mailing list