In What the Defendant Can Do Wrong,
security management expert witness Ira Somerson, BCFE, CPP, CSC, writes that “failing to preface your security plan with a risk assessment would violate standard security industry practices. If your risk assessment lacks sufficient qualitative (unscientific) or quantitative (scientific) analysis, it probably will be below a standard security industry practice.”
Risk Assessment is the art and science of identifying security vulnerabilities, measuring the likelihood that each vulnerability will occur (foreseeability), the opportunity for each to occur, measuring each event’s impact upon the organization’s assets (criticality) and prioritizing each identified vulnerability in comparison to all others (queuing).
Partial Range of Other Definitions ■ Legal: The legal definition of Risk is “…the element of uncertainty in an undertaking.”
■ Financial: “…the ultimate cost to an organization for failing to identify vulnerabilities and develop deterrent/remedial programs.”
More to follow.