The generally accepted model for risk is that it is a function of frequency (some refer to it as probability or likelihood, i.e., how often the loss event will probably occur in a given time frame) and magnitude (how bad the event will probably be, consequences).
Osama Salah
Recent Posts
Risk Analysis and Worst-Case Thinking
[fa icon="calendar'] Apr 22, 2021 8:08:35 AM / by Osama Salah posted in Member Content
Second Thoughts on Secondary Loss in FAIR. What Are Your Thoughts?
[fa icon="calendar'] Nov 4, 2019 9:43:45 AM / by Osama Salah posted in FAIR
United Arab Emirates FAIR Chapter Chair Osama Salah has been puzzling over the most effective way to use Secondary Loss (incurred by shareholders, customers, etc.) in the FAIR Model—join the discussion in the comments section of this post or on the LINK discussion board (membership required).
13 Reasons Why Heat Maps Must Die
[fa icon="calendar'] Nov 28, 2018 12:31:20 PM / by Osama Salah posted in FAIR, Risk Management
I have posted on YouTube 13 Reasons Why Heat Maps Must Die, a presentation that I prepared for a conference. My eight year old daughter already commented “Amazing work, I agree.” What more validation does one need?
Heat Maps Don’t Support ISO 31000
[fa icon="calendar'] Aug 14, 2018 12:00:00 PM / by Osama Salah posted in FAIR, Risk Management
I was recently re-reading ISO 31000 because that's what one does for fun (don't you?). Surprisingly I noticed on a few occasions that using heat maps (or qualitative RM) appears to not align with the guidelines.
Warren Buffet's Information Security Advice
[fa icon="calendar'] Jun 5, 2018 10:38:23 AM / by Osama Salah posted in FAIR
OK, so Warren Buffet didn't really give information security advice. He gave investment advice. Risk management's objective, which I believe is the foundation of information security, is to make good investment decisions.