2

How can historical events be leveraged in terms of a risk assessment. I know you could for instance look at malware infections over the past x months to perform a better estimation of for your malware infection likelihood and impact (even though you can't actually completely rely on it as there are still uncertainties).

I was wondering if there are more categories or examples where historical events are used to perform a more effective risk assessment?

Lucas Kauffman
  • 54,169
  • 17
  • 112
  • 196
  • Every risk assessment should be informed by history. There is no reliable way to estimate probability or impact without recourse to history. – MCW Mar 19 '15 at 13:30
  • Yes, that's what the question establishes, I need to know which categories can be defined of historical events in regard to a risk assessment. – Lucas Kauffman Mar 19 '15 at 15:17

1 Answers1

1

I'm not sure I fully understand your question or what you mean by categories.

Normally, you start your risk assessment with a basic analysis to identify the risks. You then need to determine the likelihood and consequences for those risks. Any available information can help, both historical and otherwise. The objective is to understand the risk so that you can estimate what both the likelihood and consequence may be.

Historical data which is often relevant includes previous events within the environment, events which have occurred in similar environments for others working in the same or similar field, historical data from insurers, any historical data relating to the identified risk etc.

Historical data is often seen as important for assessing liklihood, but it can also be important for assessing consequences. For example, historical data from insurers regarding factory fires may tell you that in 80% of cases, factory fires result in 60% of the building and plant infrastructure being destroyed - this can help assess the likely consequence should a fire occur in your factory, which in turn helps identify the potential loss, which in turn helps identify what level of controls are appropriate and associated investment etc.

Similarly, historical data on the number of small businesses which survive a major data breach can tell you what the consequences are likely to be or historical data on the frequency of such breaches in business with fewer than X employees could hlep assess the likelihood.

If the historical data can help assess likelihood or consequence, then it is of value. If it can't then perhaps it isn't. However, more often than not, the limitation is not with the data, but with the ability of the person doing the assessment to see how the data can be of value.

Tim X
  • 3,242
  • 13
  • 13