Saturday, May 16, 2009

Measuring Risk

Before we get to far into a discussion of security, we should talk about measuring risk. Risk Analysis is a term you hear often in business and IT circles. But do you realize that Risk Analysis is a process that you follow in your daily life?

First you have to understand what constitutes risk. Risk normally comes from some sort of threat or danger. A good example is the threat of a flood to your house. Next you have to determine how often are the chances of this occurring in your neighborhood. This called the probability of occurrence. Let’s say in this example, that your house is on a hill. Being on a hill means the chances of a flood in your neighborhood is improbable.

Back to the house, now you have to look and see what the possible damage would be. This is termed severity. While a flood would be devastating, it most likely would not totally destroy your house or cause a loss of life. So we can classify the severity of a flood as high, but not extreme. Generally speaking, you might then think of this as a medium risk.

Once we have the overall risk to us, we have to decide how much we are willing to accept. In this case, you could say that you are willing to accept a medium risk. If you couldn't’t sleep at night because of flood worries, you could transfer the risk– this time to an insurance company for a fee of course. Or you could avoid risk by moving to someplace like Arizona.

Another way to manage risk is to mitigate it. You either try to reduce the severity or probability of it. For example, hopefully when you ride a bicycle you wear a helmet. You are reducing the severity of an accident in case you are hit. To reduce the probability of a bicycle accident you might wear a fluorescent band so that drivers can see you.

You are probably saying that will this is all well and good , you don’t practice it in your life. But you do. Take your children for instance. You would not leave a young child alone on the sidewalk by a busy street. The probability of them running out into the street is high. If they were hit, the severity would be extreme. When your children get older, you don’t have as much risk. The severity is still extreme, but the chance of them running in front of a car is much lower, hence lower risk.

As we live our lives, we should incorporate risk assessment and management into our daily practices. On large life events, the risk assessment process needs to be a formal process. Buying a house, going on a vacation to a danger filled place in the world should have some risk management involved. In the choices you make everyday, you should look at the chance of something occurring and the severity of the action if it occurs. Only then can you make an informed choice.

No comments: