Risk: The likelihood of a threat exploiting a vulnerability and the resulting impact

Example 1: How often a tornado will touch down in a neighborhood of houses not built with tornado straps resulting in the ripping off the roof

Example 2: How likely a malicious hacker will write a script to exploit the latest SQL Server vulnerability resulting in the compromise of a database and release of confidential data

http://taosecurity.blogspot.com/2005/05/risk-threat-and-vulnerability-101-in.html 

Richard Bletjlich has an excellent post on this topic. This is the big one eh !

So I am being totally detailled orientated (insert a less appropriate word if you want) but

Likelihood implies (to me) probability and risk shouldn't only be quantitative. Is that a fair statement?

How about a more generic definition like;

The possibility of suffering harm or loss; danger.

What does NIST say here?

I guess we’re trying to make it little simpler or maybe clearer than NIST.  So, I'm combining my thoughts in this tread for both Risk and Threat, because the direction I was going with Threat is based on how I define Risk.

Basically, what that equates to is you have risk only when you have both the likelihood of an exploitation (“threat-source” as defined by NIST) and a vulnerability.  Also, it allows you to address the likelihood a threat uses/triggers a exploitation and/or the vulnerability and its impact as part of the risk mitigation process.

One of the underlying principals (or side affects) in this approach is that threats are not truly addressable (i.e., human, natural, and environmental threats always exist).

Basicly, after all this rambling, my point is that we need to define risk with consideration on how it relates to Threat, Vulnerability, and Impact, and then how it will be applied to the risk management process.

mcurphey:

Likelihood implies (to me) probability

On a side not, likelihood implies both quantitative and qualitative to me.

Great post - You are dead right about likelihood. Boy I am so far behind with work. Any chance you would be interested in volunteering to update the word doc if I gave you write priviledges? 

Thanks, and absolutely I would be willing to help.

-Eric 

ebreece:

On a side not, likelihood implies both quantitative and qualitative to me.

Can you expand on this point for clarification?

Thanks. 

I think this goes back to my collage stats classes where my prof. was very deliberate about using probability when discussing numbers and quantitative research.  Therefore, I think of probability as something that has been measured to predict future events.

So, while probability can be used to help determine how likely is or the likelihood of an event occurrence, qualitative measures can also be used to help determine likelihood (e.g., maybe when measured, historical events aren't available).  An example of this would be in market research, qualitative measure (e.g., how someone feels about a given brand, label colors, or even descriptive phrases about a product) are used to determine if someone will buy their product vs. their competitor's.

I hope that helps clarify things.  If it did or not, I'll put together a definition for Likelihood to add to the Glossary. 

ebreece:

Risk: The likelihood of a threat exploiting a vulnerability and the resulting impact

This is the definition I'm using for the Practical Risk Assessment Methodology. =)