I was reminded of Jerry this morning when my colleague Jim (who hasn't yet joined the blogosphere) came to my cube after reading the "CISO is dead" entry, and excitedly started discussing risk with me. (Yes, I do work with a cool enough team that someone would be excited enough to talk about risk).
Jim brought forth the following thought: if risk is represented by "Impact X Likelyhood" (an old CISSP formulation), doesn't that suggest that Impact should equal "Risk / Likelyhood"? If so, we should know what our risk is retroactively by understanding our costs and calculating what we believed to be our likelyhood. Bill P chimed in that these are the types of discussions that we see actuaries and underwriters having - this is the way that they think.
(Note that this line of thinking works equally well for my favorite risk equation - Risk = Threat * Vulnerability * Value Lost)
Where this all got interesting is when I thought about Jerry. One of the brilliant things that Jerry taught us was to evaluate equations by the units. So, if you know that force is in kg*m/s^2, you know that force is equal to something that is kilograms (i.e. mass) times something that is in "m/s^2" (acceleration). Which got me wondering...
What are the units of risk?
Whether you measure it as "Impact * Likelyhood" or as "Vulnerability * Threat * Value Lost", the units have to be the same. It seems obvious that "Impact" and "Value Lost" are equivalent and have a unit of $$... if so, what are the appropriate units for discussing Vulnerability and Threat? Or Likelyhood?