Características del teclado/display

The definition of risk is sometimes opportunistically given as the fittest according to one’s goals. For instance, if the goal is to analyze effects of uncertainty and vola- tility, risk is often defined regardless of the sign of the outcome (i.e., gain or loss), the same when the scenario is a zero-sum game where a certain risky prospect could be a loss for some parties and a gain for others. Finance is the reference in this case. In other contexts, instead, scholars and analysts have marked a difference between risks and opportunities, the former implying negative outcomes or losses, the latter positive outcomes or gains. It is typical of computer science and informa- tion security to refer to risks as strictly negative uncer- tain outcomes such as system failures, disconnections, malfunctioning, programming errors, hacker attacks, or sabotage. Traditional models of decision under risk, such as Von Neumann and Morgenstern’s Model of Expected Utility [3], in the 1940s, did not consider losses or negative outcomes, given that they leave the party in charge of a decision worse off than just doing nothing. On the contrary, Kahneman and Tversky’s Prospect Theory, in the 1970s, introduced relative gains or losses

with respect to a reference point [4].

8.3.1 Definitions in Information Technology Standards

More recently and more specific to information tech- nologies, we can find relevant examples of different definitions of risk in widely-known and applied stan- dards like the ones released by ISO/IEC and the U.S. National Institute of Standards and Technology (NIST). NIST Special Publication 800-39 Managing Information Security Risk Organization, Mission, and Information System View of 2011 defines risk as: “A measure of the extent to which an entity is threatened by a potential circumstance or event, and typically a function of: (i) the adverse impacts that would arise if the circum- stance or event occurs; and (ii) the likelihood of occur-

Publication 800-30 Revision 1 Guide for Conducting Risk Assessments of 2012 [6]. In both standards there is the definition of information security risk as: “The risk to organizational operations (including mission, functions, image, reputation), organizational assets, individuals, other organizations, and the Nation due to the potential for unauthorized access, use, disclosure, disruption, modification, or destruction of information and/or information systems.”

It is interesting to consider how those definitions changed in 10 years. In fact, the first release of NIST

Special Publication 800-30 of 2002 [7] considers risk

and  IT-related risk as synonyms and the latter is defined as: “The net mission impact considering (1) the probability that a particular threat source will exercise (accidentally trigger or intentionally exploit) a particular information system vulnerability and (2) the resulting impact if this should occur. IT-related risks arise from legal liability or mission loss due to: (1) Unauthorized (malicious or accidental) disclosure, modification, or destruction of information; (2)  Unintentional errors and omissions; (3) IT disruptions due to natural or man- made disasters; and (4) Failure to exercise due care and diligence in the implementation and operation of the IT system.” The definition of information security risk was not given in 2002.

Even with such a quick syntactical analysis, we can observe how in 10 years the definition of risk in an IT context evolved to become more elaborated, but its oper- ational formulation stayed the same, being risk as the product of a probability/likelihood of an event and the negative impact of the event. As we will see, this definition (in short, risk = likelihood × impact) is generally adopted in almost all IT-related analyses, essays, and research articles, although both in real projects and in other dis- ciplines and industrial fields the analytical definition of risk is often different, including more parameters or more complex functional relations. Proposed frame- works for quantitative risk assessment of cloud security like QUIRC are also based on the same basic definition of

risk as the combination of a probability and an impact [8].

The ISO-IEC world is not qualitatively different from the NIST case: the definition of risk evolved during the years and, in some cases, took divergent paths. Let us consider first the ISO/IEC 27001 Information Security Management standard in the first 2005 version and in the revision of 2013. In ISO/IEC 27001:2005 risk was not formally defined; the term is often used, even in other

definitions (e.g., “residual risk [is] the risk remaining after risk treatment”), but it is implicitly assumed as univer- sally known. On the contrary, ISO/IEC 27001:2013 refers

to the ISO/IEC 27000:2009 [9], which formally sets the

vocabulary for the whole 27000 family of ISO standards. There, risk is defined as the “combination of the prob- ability of an event and its consequence” which is a more straightforward and simpler definition than the NIST one, although qualitatively it is still risk = likelihood × impact (assuming the simplistic equivalence between probability and likelihood). The ISO/IEC 27001:2013 explicitly refers to “risks and opportunities”; therefore, we can deduce that risk applies to negative impacts only. However, things become particularly interesting when another standard is considered: The ISO/FDIS

31000:2009 [10]. This standard is not specifically tailored

for information technology, but “[T]his International Standard intends to harmonize risk management pro- cesses in existing and future standards. It provides a common approach in support of standards dealing with specific risks and/or sectors, and does not replace those standards.” Hence, the ISO 31000 standard should be considered as a reference for the other risk-related ISO standards. Here how it reads the first paragraph of the introduction: “Organizations of all types and sizes face internal and external factors and influences that make it uncertain whether and when they will achieve their objectives. The effect this uncertainty has on an organiza- tion’s objectives is ‘risk’. ” Notably, risk here is “the effect of uncertainty” on objectives, which is a completely dif- ferent definition from all the previous ones, much more in line with studies and researches out of the IT field, focusing on the prevalence of uncertainty and its influ- ence rather than providing an operational, rudimentary formula where the uncertainty is buried into just the probability/likelihood of a negative event. These are just some examples, although remarkable, of the heterogene- ity of definitions and concepts that we should expect to find when dealing with the notion of risk.

Another difference in language and meaning when risk is referred to is well described by The Open Group by considering how different specializations have devel- oped their own view of risk: “This gap is particularly evident between business managers and their IT risk/ security specialists/analysts. For example, business managers talk about impact of loss not in terms of how many servers or operational IT systems will cease to pro- vide normal service, but rather what will be the impact

of losing these normal services on the business’s capac- ity to continue to trade normally, measured in terms of $ value; or will the impact be a failure to satisfy appli- cable regulatory requirements which could force them to limit or even cease trading and perhaps become liable

to heavy legal penalties” [11]. Such differences are par-

ticularly important to consider because IT risks are usu- ally an issue for both technologists and managers, and the two categories of professionals should interact each other (e.g., technologists providing technical analyses for managers and managers defining strategies or business priorities for technologists). Therefore, still citing The

Open Group essay [11]: “[if] a business manager tends to

think of a ‘threat’ as something which could result in a loss which the business cannot absorb without seriously damaging its trading position” and a technologist instead thinks of it as “[A]nything that is capable of acting in a manner resulting in harm to an asset and/or organiza- tion; for example, acts of God (weather, geological events, etc.); malicious actors; errors; failures,” then we should be aware that there is ample room for misunderstandings in the communication between the two categories.