Risk Management - measuring all components of the equation
OK, just like when you start talking about the Relativity Theory and mention E=mc^2, we always mention RISK = Impact x Probability when talking about Risk management. And it's interesting to see how the Probability is measured. A good thread on this subject is here.
People usually calculate the probability by looking at what can be done with an specific vulnerability. However, threats need to be considered too. How many people are out there with Motives, Means and Opportunites (MMO) to explore that vulnerability?
It's interesting to see that most companies are evaluating their enviroments to check how exposed they are to specific vulnerabilities, but they are not checking in a reliable way the threat levels related to their business. Perhaps banks are the kind of companies that are closer on doing that properly, but the others seem to be a little behind.
Two things make this matter interesting for me. One is that there aren't many choices in the market if you choose to hire someone to aid you about it. The second is that too few think that they need to worry about it. What people are using out there to calculate their exposure to certain kinds of threats? Are they doing that at all? It would nice to hear from those that are doing something about it.