It is impossible to measure what you cannot define. This is the point at the heart of an article by Jack Jones on the topic of risk management. Jones notes that companies are historically general skilled at identifying control devices but still lack the skill needed to properly deal with risk. This may be because the definition of risk varies across organizations:
Although we’re great at identifying control deficiencies, and we can talk all day long about the various threats we face, we have historically had a poor track record when it comes to risk. There are a number of reasons for this, but in this article I’ll focus on just one — definition. You’ve probably heard the old adage, “You can’t manage what you can’t measure.” Well, I’d add to that by saying, “You can’t measure what you haven’t defined.” The unfortunate fact is that the information security profession has been inconsistent in how it defines and uses the term “risk.” Ask a number of professionals to define the term, and you will get a variety of definitions.
Jones also mentions that some existing definitions of “risk” are simply not practical. The example definition he uses is “the effect of uncertainty on objectives.” This issue with this definition is that you must also define the words “effect”, “uncertainty”, and “objectives.” Although these are simple and common words, they can mean different things to different people.
Jones suggests thinking of risk and security in terms of loss. Loss is easy to measure, has a universal definition, and is something every organization would like to avoid. Using The Open Group’s Risk Taxonomy, which he notes is based on Factor Analysis of Information Risk (FAIR), Jones defines risk by breaking it down into the categories of loss event frequency and the magnitude of future loss.
Now that we have identified the definition of risk, it will be easier to manage in the future. Jones reminds us that this will lead to more signal and less noise when it comes to communicating risks within an organization. In short, Jones recommends following The Open Group’s Risk Taxonomy in order to limit noise and increase productivity.