Posts - Integrating the
Model in the Real

1/13/09: Audit & Risk - Seeing the Forest from the Trees

9/4/08: Security ROI

6/28/08: Boise: A
Terrorist Target?

5/10/01: FFIEC Business
Continuity Planning

4/3/08: SOX 404 Audits




Probability is the likelihood that an organization will suffer harm from the failure of a person, process or system or from an external event. Probability is a function of

  1. The Vulnerabilities in the process or asset and
  2. Threats that can capitalize on those Vulnerabilities.

In order for a loss to occur, there needs to be a weakness or defect that leads to the loss and a person or natural event that exploits the weakness. For example, if you place a hundred dollar bill on the side walk of a crowded city street and leave it unattended, it is likely the money will soon disappear. Why? Because there were no effective controls around access to the money (a Vulnerability) and there were a multitude of people (Threats) willing to take the money. Hence, there is a high likelihood of loss. Conversely, if you had placed the money in a heavy, secure safe (implemented a Control) or had left it unattended on the surface of the Moon (reduced the number of people who had access), the likelihood of loss would decrease significantly.