Hopefully few of you wasted time reading my rant Tuesday on possibility, probability, and an analyst who really got my goat. Today, instead of ranting I wanted to revisit this whole "possibility is not probability" notion, and particularly its relationship to risk and risk management. The main goal here is to put a stake in these semantic games once and for all and make some very clear points. We'll see how I do...
The problem with the overly simplified "possibility is not probability" line of argument, in a risk management context, is that it doesn't speak to key attributes of risk. At it's most fundamental, "risk" is a matter not just of the threat or vulnerability, but also of the likelihood it will be exposed, the likelihood it will be attacked, and the overall impact should it come to fruition. When we talk about risk, we have to consider all of these factors as they apply to our specific environment. You cannot take any one attribute and jump to a risk assessment generalization that applies equally to every situation or environment.
Another key problem is that, in risk management, we never really deal with events that aren't possible. In the spectrum of things we think about, everything is possible, though where that possibility sits on a 1 to 100 probability scale can vary widely. Even more importantly, there are some very real low-possibility (or low-probability, or low-frequency) events that absolutely must be considered because the potential impact is very high (e.g. natural disasters).
So this is where I find the "possibility is not probability" statement to be completely and totally wrong, especially from a risk management perspective. Whether or not an event is "probable" (i.e. probability > 50%) is not the only key factor that goes into our determination of whether or not treatment is necessary. It may not be "probable" that over half of your organization will be struck down by a pandemic, but it still bears consideration when you look at planning for remote access, spike licenses, sick leave policies, and so on (see my earlier "Embrace Murphy's Law" post).
Perhaps even more disconcerting to me is the impact of telling people to ignore low-probability threats in a blanket statement. I personally find it irresponsible and offensive. Nobody in a random external location, lacking an understanding of your context, can tell you or your organization what the right risk management decision is for a given threat or vulnerability. More egregious is trying to arbitrarily state that, because something is low-probability, it is also then "low risk." There's no way to know that; none whatsoever. Every environment is unique, and must be managed accordingly. We can categorize the severity of a given threat or vulnerability, but we absolutely cannot - with any reasonable degree of certainty or reliability - expand that categorization into an impact assessment for a given organization, which means that you cannot generalize the "risk" for a given threat or vulnerability.
This practice of declaring "risk" levels arbitrarily and generically is a trick of marketing, and a trap of the overzealous and self-important. Just as organizations have learned to assertively manage their auditors, so they must also reign in security vendors, analysts, and consultants making broad, damming claims about "risk." Letting other people tell you what your risks are independent of your unique environment is like taking career advice from a stranger based on what they heard from the Psychic Friends Network. It's so far removed from reality that, even if it sounds good, there's no way to know for sure whether or not it's useful or makes any sense in your given situation.
