Below are risk terms and accompanying definitions / explanations that I use on a daily basis. For those terms that are directly from the FAIR methodology, they will be annotated. For non-FAIR terms, I will try to add to add a hyperlink to a URL that may give a more complete explanation / definition. Please understand I am taking some liberty to dumb down some of the explanations. In general, they should be fairly accurate. I have intentionally done this so they are easy to remember as well as easy to explain. Some other definitions were pulled from investopedia.com.
Risk (short def.) – Exposure to loss.
Risk (long def.) – The probable frequency and probable magnitude of future loss. Or, the probable “loss event frequency” and “probable loss magnitude” of future loss (see definitions below).
Pure Risk – A category of risk in which loss is the only possible outcome; there is no beneficial result.
Speculative Risk – A category of risk that, when undertaken, results in an uncertain degree of gain or loss.
Operational Risk – Risk arising from execution of a company’s business functions. Or, the risk of loss resulting from inadequate or failed internal processes, people and systems, or from external events (BASEL II)
Objective Probability – The probability that an event will occur based an analysis in which each measure is based on a recorded observation, rather than a subjective estimate. Objective probabilities are a more accurate way to determine probabilities than observations based on subjective measures, such as personal estimates.
Subjective Probability – A probability derived from an individual’s personal judgment about whether a specific outcome is likely to occur. Subjective probabilities contain no formal calculations and only reflect the subject’s opinions and past experience.
Distribution – the set of possible values of a random variable, or points in a sample space, considered in terms of new theoretical or observed frequency.
Asset – Any item of economic value owned by an individual or corporation, especially that which could be converted to cash.
Peril – The direct cause of a loss.
Hazard – Anything that contributes to the frequency or severity of loss.
Threat Agent - Any agent (e.g., object, substance, human, etc.) that is capable of acting against an asset in a manner that can result in harm (FAIR term / definition).
Threat Event – Occurs when a threat agent acts against an asset (FAIR term / definition).
Threat Community (TCOMM) - A subset of the overall threat agent population that shares key characteristics (FAIR term / definition).
Loss Event Frequency (LEF) – The probable frequency, within a given timeframe, that a threat agent will inflict harm upon an asset. Threat event frequency and vulnerability factor into LEF (FAIR term / definition).
Threat Event Frequency (TEF) – The probable frequency, within a given timeframe, that a threat agent will act against an asset. Contact and action factor into TEF. (FAIR term / definition).
Contact – Occurs when a threat agent establishes a physical or virtual (e.g., network) connection to an asset (FAIR term / definition).
Action – An act taken against an asset by a threat agent. Requires first that contact occur between the asset and threat agent (FAIR term / definition).
Vulnerability (VULN) – The probability that an asset will be unable to resist the actions of a threat agent. This is a outcome of “threat capability” and “control strength” factor into vulnerability (FAIR term / definition).
Threat capability (TCAP) – The probable level of force that a threat agent is capable of applying against an asset (FAIR term / definition).
Control Strength (or, Control Resistance) (CS or CR) – The strength of a control as compared to a standard measure of force (FAIR term / definition).
Probable Loss Magnitude (PLM) – The probable magnitude of loss ($) resulting from a loss event (FAIR term / definition).
Worst Case Loss (WCL) – Worst case magnitude of loss ($) resulting from a loss event (low probability, high impact). (FAIR term / my interpretation).
Tail Risk – A term most often used by investors as well as the insurance industry. Magnitude of losses from extremely unlikely events; usually less then a 1% of occurring. Again, think high impact very low probability. Generally speaking, in a normal distribution, this would be the right side of the distribution, the area to the right of the 3rd standard deviation; often called “the tail”.
Shock Loss – A loss so devastating that it has a material effect on the underwriting results of the company. I have also heard this described as a completely unexpected significant loss.
Contributing Factors – In the context of a risk assessment, details or facts that influence or factor into risk elements. For example, an increasing trend of theft in a given zipcode could be a contributing factor for a risk assessor when determining threat event frequency.
Inherent Risk – Risk of a given scenario or condition without taking into consideration security controls.
Residual Risk – The risk of a given scenario or condition after taking into consideration security controls. Also, a term used to classify the risk remaining of a given scenario or condition after a risk mitigation action has occurred.
Risk Mitigation – The process of applying a security control that reduces the overall risk of a given scenario condition.
Assuming Risk – The act that an authorized individual performs when a decision is made not to mitigate the risk of a given scenario or condition. Essentially, the authorized person is saying they are fiscally accountable for a loss event as a result of a given risk scenario or condition.