“Attempts to assess risk without estimating frequencies and intensities is like designing a bridge without considering loads/forces. You’re not really assessing/designing, you’re only intuiting.”
- Old techniques–relative, scoring, indexing
- Old techniques–classical QRA, statistics-centric
- Weightings
- Words matter
- Data myth 1 (never say “I don’t have enough data to estimate that.”
- Data myth 2 (statistics vs physics)
- Threat interaction
- Guidance Docs–which ones work best for what
- Complexity / Intelligent simplification
- seduced by graphics
Mild Versus Wild Risk
Per Wikipedia (https://en.wikipedia.org/wiki/Risk_assessment), Benoit Mandelbrot distinguished between “mild” and “wild” risk and argued that risk assessment and management must be fundamentally different for the two types of risk.*
Mild risk follows normal or near-normal probability distributions, is subject to regression to the mean and the law of large numbers, and is therefore relatively predictable.
Wild risk follows fat-tailed distributions, e.g., Pareto or power-law distributions, is subject to regression to the tail (infinite mean or variance, rendering the law of large numbers invalid or ineffective), and is therefore difficult or impossible to predict.
A common error in risk assessment and management is to underestimate the wildness of risk, assuming risk to be mild when in fact it is wild, which must be avoided if risk assessment and management are to be valid and reliable, according to Mandelbrot.
*Mandelbrot, Benoit and Richard L. Hudson (2008). The (mis)Behaviour of Markets: A Fractal View of Risk, Ruin and Reward. London: Profile Books. ISBN 9781846682629.