1 how people assess risks

Important is to understand, besides probabilities or the likelihood that something will happen, there are psychological factors at play when a person tries to assess a risk. For instance, a person may fear an upcoming exam but not worry about passing it with flying colors._Figure: Information security risk barometer – likelihood of events and cognitive aspects_

If you cannot see the above chart properly, please download here

Important in the above figure is that there are not just probabilities we use but also our perceptions. To illustrate, we know about a threat but how much concern does it raise regarding a just discovered vulnerability found in a Microsoft program.

Once a person has assessed the threat , one will try to figure out how risky the vulnerability is. If the vulnerability is perceived as critical then then a manager or a home-user will try to assess the potential impact. In other cases, a person may look at the impact and be scared and just take the steps to protect information or the PC against the vulnerability that represents a serious threat against the confidentiality of data.

Looking at the threat, vulnerability and impact will provide the risk assessment as outlined in the above table.

The risk assessment provides the information and insights required for the risk manager making a decision regarding the information security risk their PC, BlackBerry or information system might be exposed to. In turn, counter-measures can be implemented.

Depending upon that information, a decision will be made resulting in an action, such as patching the vulnerable software by downloading and installing the latest version of the software where the vulnerability has been eliminated.