« Security Content Automation Protocol – Coming To A Theater Near You? | Main | Model? What Do You Mean? »

Risk Is Better Than Uncertainty

The economist Frank Knight observed a crucial difference between two types of "risk" leading him to differentiation between RISK and UNCERTAINTY. RISK refers to when we have probability measurements and/or models for events while UNCERTAINTY refers to when we do not know the probability of events. The methods available for managing risk in these two cases are entirely different.

With RISK we get to use expected value, expected utility, and a bunch of nice math. However, when human beings get involved because we don't have data then we can be in trouble. People are poor at estimating actual risk and can be influenced solely by language fluency. We have to work harder to get reliable results.

What the heck am I talking about, and what does that mean for Risk and Compliance? Let me explain in more detail.

Here is an example from everyday life. The Department of Motor Vehicles provides guidelines on how to operate an automobile, how to interpret signs, and what to do with all the lines painted on the road. Compliance with the those guidelines allows us to manage the risk of injury and even death resulting from crashes and collisions.

In IT GRC our compliance rules and guidelines are also meant to manage risk. PCI rules prescribe, for example, how to store sensitive credit card data as well as which data are classed as sensitive.  Compliance with those guidelines allows us to manage the risk of monetary loss to the credit card issuer and inconvenience to the credit card holder.

How are these examples different?

We have had many decades (working on a century) of experience with and study of automobile operational risk. There are reams of data collected across the country and world on accidents, driving habits, rules of the road, and subsequent adverse results. Insurance industry actuaries know just how various factors contribute to accident risk.

Conversely, the electronic data environment we find ourselves in today includes massive databases of personal information, including credit card numbers collected by essentially every large retailer. This environment came about over the last decade due to the explosion of internet use. We don't have a lot of data because it only just started. Consequently, we can't estimate the probability of events, like electronic break-in.

The IT GRC field is in transition. Today we are dealing with UNCERTAINTY when we really, really want to be working with RISK because the management tools are so much better. However, there is a light at the end of the tunnel. The electronic medium that caused the situation should also help us solve the problem. We just need to keep collecting data, tracking the improvements produced through compliance, and creating new models and metrics.

Knight, F.H. (1921) Risk, Uncertainty, and Profit. Boston, MA: Hart, Schaffner & Marx; Houghton Mifflin Company

Fox, C.R., and Clemen, R.T. (2005) Subjective probability assessment in decision analysis: partition dependence and bias toward the ignorance prior. Management Science, Volume 51, #9.

Song, H., and Schwarz, N. (2009) If It's Difficult to Pronounce, It Must be Risky - Fluency, Familiarity, and Risk Perception. Psychological Science, Volume 29, #2.

PrintView Printer Friendly Version

EmailEmail Article to Friend

Reader Comments

There are no comments for this journal entry. To create a new comment, use the form below.
Member Account Required
You must have a member account on this website in order to post comments. Log in to your account to enable posting.