Yesterday, while speaking to a university cybersecurity class, I was accused of being pedantic when I pointed out a problem with the phrase “The risk of that impact…”Specifically, I had pointed out that what the student really meant was “The probability of that impact…” because risk, by definition, already includes impact as a component.
In their defense, nobody likes to be called out in front of others, but this was a university setting where the point is to educate. That said, were they right? Was I over-concerned about the common use of a term? After all, words like risk are often used to mean many different things.
If you and I are just having a conversation on the street about everyday things, there’s rarely a problem with using words in an inconsistent way because the context of the conversation usually makes the intent clear. However, when we’re in a professional setting discussing things like risk measurement, prioritization and clear communication, the rules change — or at least they should change.
Read Jack's ebook: An Executive's Guide to Cyber Risk Economics
In the 1930’s, a philosopher by the name of W. V. Quine said, “The less a science is advanced, the more its terminology rests on an uncritical assumption of mutual understanding.” At the time he was speaking about mathematics, but if you look at the history of any discipline we think of today as being “mature”, they all went through an early stage where nobody could agree on basic principles and nomenclature. It’s an unavoidable part of the maturation process.
Will cyber risk management ever become a “true science?” That depends on how you define science, but there’s little question that it needs to become much better at measurement and communication, and you can’t reliably measure or discuss what you haven’t clearly defined. That's an important part of what it means to be a mature discipline, and nobody should feel good about the fact that our profession doesn’t consistently use what is perhaps the most fundamental term in our professional nomenclature (after all, everything we do is intended to help manage risk). If anything, that should be a huge red flag that our profession has some growing up to do.