Jacob Kaplan-Moss

In the outdoor risk analysis space, we tend to reserve a category of risk for…

In the outdoor risk analysis space, we tend to reserve a category of risk for events where the outcome would be death or disability — the “life or limb” category. We tend to treat activities with that level of consequence differently almost regardless of the likelihood of the bad thing. For example, most people won’t free solo a climb over a certain height even if the actual climbing is well within their ability. Many won’t even attempt high-consequence forth-class moves without ropes. I’m in this category — I turned around in my attempt on North Sister because the final traverse, despite being well within my ability technically, had a 1,000+ foot fall as a consequence, and I wasn’t willing to attempt it without ropes.

In other words, in the outdoors, we treat “low likelihood high consequence” events as more risky (we might say “sketchy”) than “high consequence low likelihood” events.

But we don’t seem to do the same with infosec risk — we collapse “high likelihood low impact” and “low likelihood high impact” into the same “medium risk” bucket. Is this a mistake? Perhaps not: I’m not sure we don’t really have the same equivalent of “life or limb” consequences? Certainly there are very few examples of a breach leading to company-ending consequences (sure, it has happened, but those situations are few and far between).

<![CDATA[In the outdoor risk analysis space, we tend to reserve a category of risk for events where the outcome would be death or disability — the “life or limb” category. We tend to treat activities with that level of consequence differently almost regardless of the likelihood of the bad thing. For example, most people won’t free solo a climb over a certain height even if the actual climbing is well within their ability. Many won’t even attempt high-consequence forth-class moves without ropes. I’m in this category — I turned around in my attempt on North Sister because the final traverse, despite being well within my ability technically, had a 1,000+ foot fall as a consequence, and I wasn’t willing to attempt it without ropes. In other words, in the outdoors, we treat “low likelihood high consequence” events as more risky (we might say “sketchy”) than “high consequence low likelihood” events. But we don’t seem to do the same with infosec risk — we collapse “high likelihood low impact” and “low likelihood high impact” into the same “medium risk” bucket. Is this a mistake? Perhaps not: I’m not sure we don’t really have the same equivalent of “life or limb” consequences? Certainly there are very few examples of a breach leading to company-ending consequences (sure, it has happened, but those situations are few and far between).]]>