An essential part of risk assessment is to evaluate the “likelihood” of threats and losses. For example, NIST SP800-30 says that the purpose of risk assessment includes “inform[ing] decision makers … by identifying … the likelihood that harm will occur.” SP800-30 has a whole appendix (G) devoted to helping analysts map fuzzy English words, like “the threat is highly likely to have adverse impacts” into “semi-quantitative values” on a scale from 0 to 10 or 100. The point of all this seems to be solely to make it easy for the analyst to get some useful results out of fuzzy thinking.
To clear this up, let’s get back to basics. The dictionary says that likelihood is “the probability or chance of something.” From these clear roots of likelihood as probability, most risk-assessment methodologies immediately wander off into a weed field of qualitative verbiage.
The FAIR Approach
FAIR takes the direct approach. Rather than being distracted by the qualitative weeds, we should just accept that likelihood is a probability, and a probability is a number. Probability ranges from 0 to 1, not from 1 to 10 and certainly not from “very low” to “very high.”
In some contexts, for example Threat Event Frequency, FAIR measures “likelihood” by the expected rate of occurrence in a standard unit of time, usually a year, instead of probability directly. There are three good reasons for this, psychological, financial, and technical.
Where it does make sense to use probabilities instead of annual frequencies is vulnerability. Vulnerability is the probability of a Threat Event becoming a Loss Event. Threat Event Frequency (times per year) times Vulnerability (probability) equals Loss Event Frequency (times per year), exactly what the manager needs to know for budgeting.
These are the reasons that FAIR sometimes uses frequencies and sometimes probabilities. As usual, FAIR guides us well through what otherwise easily becomes a muddle. “FAIR is a framework for critical thinking,” writes Jack Jones, creator of FAIR.
Room for Improvement in NIST SP800-30
So why doesn’t NIST just say “probability?” I suspect NIST is, commendably, trying to make its publications more accessible to a general readership. And I suspect the authors believe the general readership is not a little math-averse, and even more so probability-averse. However, when cheap calculators have statistical buttons for mean and standard deviation, and elementary statistics is taught in high school, we may hope that the risk management profession may quickly mature beyond probability phobia, and that uttering the “p-word” will not get one icy stares in the executive suite.
Incidentally, statisticians have a specific and technical definition of “likelihood.” This is another example of how more mature professions have given rigorous meaning to ordinary words, and gotten away with it. The risk management profession can do it too, if we are determined.
"The believer is happy; the doubter is wise." Hungarian proverb