Tuesday, December 19, 2023

Threats and Risk: an introduction

Daniel Miessler has an interesting essay about threats, vulnerabilities, and risks that is worth a quick read.

He summarizes this way:
  •  A Threat is a negative scenario you want to avoid
  • A Threat Actor is the agent that makes a Threat happen

  • A Vulnerability is a weakness that can be exploited in order to attack you
  • A Risk is a negative scenario you want to avoid, combined with its probability and its impact

  • The difference between a Threat and a Risk is that a Threat is a negative event by itself, where a Risk is the negative event combined with its probability and its impact
All good, but then what do you do about any one of them?
Begin with knowledge acquisition.
Any threat, risk, or vulnerability that is susceptible to reduction by knowing more about it is probably worth the investment to gather the available information, or conduct experiments, models, or simulations to put data into an analysis process 
Such activity is applying the skills and processes of epistemology which is the theory of knowledge, especially with regard to its methods, validity, and scope. 
Most important for project management, "epistemology is the investigation of what distinguishes justified belief from opinion." (Oxford online dictionary)

And, to carry it a bit further, such risks, threats, and vulnerabilities are often called epistemic risks, etc.

Truly random effects
If your knowledge study convinces you that more knowledge won't improve the mitigation, then you are in the realm of random effects which are largely unpredictable -- that is, random -- within certain boundaries. 

There are two major categories of such randomness that project managers deal with:
  1. The central tendency type of randomness wherein random effects tend to cluster around a central figure, and outliers fall off and away from the central figure. This leads to the so-called "bell curve" which is usually not a perfect bell, but nonetheless the centrality is evident in the data

  2. The "power law" type of randomness wherein random effects are "one-sided" and fall off roughly as the square of the distance from the main lobe. The Pareto histogram is a familiar example, as is the "80-20" histogram.
The best way to identify which of these two phenomenon -- central clustering or power law -- is your situation is by experimentation, observation, simulation, and modelling to develop data and thereby determine the "fit".

Like this blog? You'll like my books also! Buy them at any online book retailer!