Risk Assessment: Quantifying What You Can't Prevent

Home Manifesto ISMS

📊 Risk Assessment: Honest Accounting Through Quantitative Analysis

Risk = Likelihood × Impact × 100: Calculating What You Can't Prevent (Because Prevention is a Lie Vendors Sell)

Nothing is true. Everything is permitted. Some things are probable. Risk is what's left after you've done everything you can. Perfect security doesn't exist. Zero risk is impossible. Anyone promising zero risk is selling snake oil or ignorance—possibly both. Probably both. FNORD.

Think for yourself, schmuck! Security vendors sell "prevention" (because hope sells better than reality). Reality teaches "quantitative risk analysis with informed business decision-making" (because math doesn't care about your feelings). At Hack23, risk assessment isn't annual theater—it's systematic quantitative methodology with quarterly reviews, statistical scoring, and measurable outcomes. We're paranoid, but we're paranoid with spreadsheets.

Risk assessment is honest accounting for psychonauts: What can go wrong (everything)? How likely (5-99% probability—we use actual numbers, not executive optimism)? How bad (€100-€50K+ impact—quantified in money because that's what management understands)? What are we doing about it (avoid, mitigate, transfer, accept—not "hope and pray")? Did it work (quarterly validation—hope is not a strategy)?

ILLUMINATION FOR THE PARANOID: Risk is what's left after you've done everything you can. Accepting it consciously is maturity. Ignoring it unconsciously is negligence. Quantifying it systematically is professional cybersecurity consulting. Pretending it doesn't exist is what gets you breached at 3 AM on a Saturday. Are you paranoid enough? The attackers are. FNORD.

Our approach combines quantitative scoring (Likelihood × Impact × 100—because numbers don't lie, people do) with business value alignment via our Classification Framework. Risk levels: Critical 400-600 (CEO gets paged), High 200-399 (executives actually read emails), Medium 100-199 (someone should probably look at this). Full methodology in our public Risk Assessment Methodology. No secret formulas. No proprietary magic. Just math that works whether you believe in it or not.

🧮 The Formula: Risk = Likelihood × Impact

Likelihood: How often will this happen?
Impact: How bad is it when it does?
Risk: Multiply them together.

High likelihood + low impact = annoying.
Low likelihood + high impact = catastrophic.
High likelihood + high impact = fix immediately.

CHAOS ILLUMINATION: A 1% chance of losing everything is more dangerous than a 99% chance of losing nothing. Do the math. Then do the mitigation.

🎯 The Five Risk Treatment Options

1. Avoid

Don't do the risky thing.

Stop using the vulnerable software. Don't store credit cards. Don't connect the nuclear reactor to the internet. Avoidance is absolute.

2. Mitigate

Reduce likelihood or impact.

Patch vulnerabilities (reduce likelihood). Backup data (reduce impact). Most security work is mitigation.

3. Transfer

Make it someone else's problem.

Insurance, outsourcing, contracts. Transfer doesn't eliminate risk—it shifts who pays when things break.

4. Accept

Acknowledge and document.

Some risks aren't worth fixing. Document the decision. Get executive signoff. Accept knowingly, not accidentally.

5. Ignore

Pretend it doesn't exist.

This is not a valid option. But many organizations choose it anyway. Then wonder why they got breached.

ILLUMINATION: Accepting risk consciously is strategy. Accepting risk unconsciously is negligence. Document your choices or they choose for you.

📊 The Risk Matrix: Visual Lies

Risk matrices are popular because they're visual. They're also misleading because they're oversimplified.

The Standard 5×5 Matrix:
Likelihood: Rare, Unlikely, Possible, Likely, Almost Certain
Impact: Insignificant, Minor, Moderate, Major, Catastrophic
Risk Level: Low, Medium, High, Critical

Looks authoritative. Actually subjective. "Possible" to one person is "Likely" to another. "Major impact" depends on who you ask.

Use risk matrices for communication, not precision. Actual risk requires actual numbers—probability distributions, cost estimates, and math that makes executives uncomfortable.

🔄 The Risk Assessment Cycle

  1. Identify - What assets? What threats? What vulnerabilities?
  2. Analyze - Likelihood? Impact? Risk level?
  3. Evaluate - Above risk appetite? Requires treatment?
  4. Treat - Avoid, mitigate, transfer, or accept?
  5. Monitor - Did it work? Did risks change?

Risk assessment isn't annual theater—it's continuous process. New threats emerge. Old controls fail. Reassess quarterly or when significant changes occur.

📊 Our Risk Assessment Methodology

Our risk assessment methodology is public: ISMS-PUBLIC Repository | Risk Assessment Methodology

Quantitative Risk Scoring Framework:

META-ILLUMINATION: Risk assessment without action is expensive documentation. Assessment → Treatment → Monitoring → Reassessment. The cycle never ends.

🎯 Conclusion: Accept or Act

You can't eliminate all risk. You can't prevent all attacks. You can't afford perfect security—nobody can.

Risk assessment is honest accounting. What can go wrong? How likely? How bad? What are we doing? Is it working?

Identify, analyze, evaluate, treat, monitor. Accept risk knowingly or mitigate it effectively. But don't ignore it and pretend it doesn't exist.

That's not risk management. That's negligence with extra steps.

All hail Eris! All hail Discordia!
"Think for yourself, schmuck! Question everything—especially risk assessments that show 'all risks are low' when you know that's statistically impossible. Quantify honestly or accept blind flight."
🍎 23 FNORD 5
— Hagbard Celine, Captain of the Leif Erikson

P.S. You are now in Chapel Perilous. Risk is both calculable (Likelihood × Impact × 100) and unknowable (black swans exist). Both are true. Nothing is true. Everything is permitted—but some things are expensive (€10K-€50K+ impact = Critical risk).