An example of risk not being a point

I’ve written before about not regarding uncertainty and risk as things with a single probability and a single measure of impact. I called these “point risks”, as such a fictitious event sits at a single point on a chart.

Now I’m happy to learn that a paper entitled “Cost of Data Breach Study”, by Ponemon Institute, sponsorted by IBM, has presented a similar finding. They interviewed more than 2,200 people from 447 companies with a recent experience of a data breach. As the title suggests, the goal was to understand the costs involved, and the influences on this. Their model for costing a breach is worth a look for anyone interested in decision making in this area. But for now I’m interested in their use of probabilities and impact.

Their chart on page 31 shows they are well aware that a breach with a smaller impact is much more likely than a breach with a much larger impact. The picture below is my rough reworking of it—you can download the full report for the details. Here, they are compiling estimates of a breach within the next 24 months based on their interviews.

If you were asked about the likelihood of a data breach within some given period—or some other event—how would you respond? Now we have an authority using ranges of probabilities and impact perhaps it’s easier to provide a more expansive—and realistic—reply.

A hat tip, meanwhile, to Norman Marks, from whose blog I picked this up. Happily, he also uses the word “point” to describe those misleading and unhelpful so-called risks that are just a single probability and impact.