Risktical Ramblings

Below are risk terms and accompanying definitions / explanations that I use on a daily basis. For those terms that are directly from the FAIR methodology, they will be annotated. For non-FAIR terms, I will try to add to add a hyperlink to a URL that may give a more complete explanation / definition. Please understand I am taking some liberty to dumb down some of the explanations. In general, they should be fairly accurate. I have intentionally done this so they are easy to remember as well as easy to explain.

*****

Risk – The probable frequency and probable magnitude of future loss. Or, the probable “loss event frequency” and “probable loss magnitude” of future loss (see definitions below).

Threat Agent - Any agent (e.g., object, substance, human, etc.) that is capable of acting against an asset in a manner that can result in harm (FAIR term / definition).

Threat Event – Occurs when a threat agent acts against an asset (FAIR term / definition).

Threat Community (TCOMM) - A subset of the overall threat agent population that shares key characteristics (FAIR term / definition).

*****

Loss Event Frequency (LEF) – The probable frequency, within a given timeframe, that a threat agent will inflict harm upon an asset. Threat event frequency and vulnerability factor into LEF (FAIR term / definition).

Threat Event Frequency (TEF) – The probable frequency, within a given timeframe, that a threat agent will act against an asset. Contact and action factor into TEF. (FAIR term / definition).

Contact – Occurs when a threat agent establishes a physical or virtual (e.g., network) connection to an asset (FAIR term / definition).

Action – An act taken against an asset by a threat agent. Requires first that contact occur between the asset and threat agent (FAIR term / definition).

Vulnerability (VULN) – The probability that an asset will be unable to resist the actions of a threat agent. This is a outcome of “threat capability” and “control strength” factor into vulnerability (FAIR term / definition).

Threat capability (TCAP) – The probable level of force that a threat agent is capable of applying against an asset (FAIR term / definition).

Control Strength (or, Control Resistance) (CS or CR) – The strength of a control as compared to a standard measure of force (FAIR term / definition).

Probable Loss Magnitude (PLM) – The probable magnitude of loss ($) resulting from a loss event (FAIR term / definition).

Worst Case Loss (WCL) – Worst case magnitude of loss ($) resulting from a loss event (low probability, high impact). (FAIR term / my interpretation).
Tail Risk – A term most often used by investors as well as the insurance industry. Magnitude of losses from extremely unlikely events; usually less then a 1% of occurring. Again, think high impact very low probability. Generally speaking, in a normal distribution, this would be the right side of the distribution, the area to the right of the 3rd standard deviation; often called “the tail”.

Shock Loss – A loss so devastating that it has a material effect on the underwriting results of the company. I have also heard this described as a completely unexpected significant loss.

Contributing Factors – In the context of a risk assessment, details or facts that influence or factor into risk elements. For example, an increasing trend of theft in a given zipcode could be a contributing factor for a risk assessor when determining threat event frequency.

Inherent Risk – Risk of a given scenario or condition without taking into consideration security controls.

Residual Risk – The risk of a given scenario or condition after taking into consideration security controls. Also, a term used to classify the risk remaining of a given scenario or condition after a risk mitigation action has occurred.

Risk Mitigation – The process of applying a security control that reduces the overall risk of a given scenario condition.

Assuming Risk – The act that an authorized individual performs when a decision is made not to mitigate the risk of a given scenario or condition. Essentially, the authorized person is saying they are fiscally accountable for a loss event as a result of a given risk scenario or condition.