Risk Theory

How much security do we need? Just enough so that Security is Commensurate with Risk. What most people want when they ask for a “secure” system is one in which the level of risk is acceptable. To understand what is meant by this it is first necessary to understand the meaning of risk.

Risk (of a particular event) / Event Probability × Resulting Damage

This formula is used, with slight variations, in many fields. It is often expressed as an Annualized Loss Expectancy (ALE) in $/year. In theory, it should be easy to determine the risk of a particular type of event. All that is needed is to find out how likely it is that the event will occur and how much damage it will cause. While it is usually straightforward to estimate the impact of an incident, coming up with a figure for Event Probability is more difficult.

The probability of simple events(such as tossing a coin or rolling dice) can be determined using common mathematical principles. Real world situations are seldom this simple so this approach must be judiciously applied.