10.7. Incorporating Probability into Risk Mitigation
Chapter 9 presented the concept of probability and showed how it could be incorporated into process 7 of OCTAVE. The chapter then focused on the problems of estimating probability in the absence of extensive data on threats. This section revisits the concept of probability, but this time focusing on using it when making risk mitigation decisions. Specifically, it addresses issues relating to expected value.
Setting Priorities Using Expected Value
The expected value (or expected loss) for a risk is the product of the potential loss that could occur (or impact value) multiplied by its projected frequency of occurrence (or probability). The expected value is often measured in annualized loss
Get Managing Information Security Risks: The OCTAVESM Approach now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.