The most generalized way to define risk I can come off is the ‘chance of misfortune.’ As we can see, risk exists in every field/industry and can be defined specifically to each of them, widely defined using uncertainty or probability.
In other words, Risk can be defined as an uncertain event if ever to occur, cause ill effects. Another perspective of risk with regard to security would be the probability of a threat succeeding in exploiting a defined vulnerability.
Qualitatively, Risk involves expressing risk in raw form or showcasing the Big Picture, usually in comparison and scope, without putting it in any metrics. It mainly involves identifying risks, the reason behind their existence, the likelihood of occurring, and their impact if succeeded. It deals with defining the source of the risk and asset and the scope it tends to impact. On the other hand, quantitative risk follows in the same footsteps as qualitative analysis but assigns computable values to the impact and probability to differentiate threats, vulnerabilities, and assets at a higher granular level. In my forensic class, while researching Adylkuzz malware which is a by-product of the NSA being infiltrated by Shadow Brokers and stealing tools developed by the NSA. The risk of keeping or developing such tools and maintaining them secretly is quite different from any other risks an organization faces.
A cyber attack’s scope is close to infinite; a particular system/server could lead to the breakdown of an organization impacting all its associated/collaborated actors, its internal or sub-divisions, and each individual part of it. And moreover, the organization might deal with information/assets of 3rd parties, which are affected too. I can think of only 2 cyber attacks 1.NotPetya, which first hit Moller-Maersk MAERSKb.CO was responsible for eight business units ranging from ports to logistics to oil drilling established in 130 countries and 76 ports with more than 800 seafaring vessels, including container ships carrying tens of millions of tons of cargo around the globe representing a massive one-fifth of the entire world’s shipping capacity to shatter causing a global level IT breakdown.
And 2. The most important and crucial of all was the result of America’s largest and most secretive intelligence agency NSA being infiltrated by ‘shadow brokers’ a hacker group that stole zero-day vulnerabilities that could tear down almost half of the computers in the world at that time led to some of the worlds largest cyber-attacks ‘WannaCry,’ ‘Petya,’ ‘NotPetya,’ ‘Adylkuzz’ and many other.
These two cyber attacks could easily cause more than 100 billion US dollars Individually.
Risk management calculations based on subjective and objective probability estimates.
Objective probability is generalized using justifiable Quantifiable values, which can be obtained from previous events in the past or can be calculated with current or future chances of occurring.
Risk management calculations based on Subjective probability estimates, on the other hand, could not be justified as there is no proof to support their accuracy and often depend on the desirability or undesirability of performing an action. For example, willingness to take, deal or live with risk in case of subjective probability majorly depends on the risk-taker mindset as the probability of failure/success following the decision or action cannot be determined.
The most interesting part is the similarity or connection between them. We can assume an objective probability estimate without proper proof/support could be treated as a subjective probability in some cases. For example, consider a postal service with a history of never being late. The risk of late delivery can be objectively estimated based on subject values. I.e., the value depends on many factors such as driver, Vehicle, traffic, riots, or natural calamities, which are not quantifiable. In this case, a customer might take his chance based on what we call a subjective probability estimate.
“An objective risk measure utilizes a set of objective probability values and an individual, in deciding whether to take a certain course of action, often may subjectively consider the probability of success and failure of that action.”
Based on the above line, when applied to risk management, we can conclude that an accurate, objective risk intervenes with the individual subjective risk assessment of the future outcome.
Subjective and objective estimates have their differences. However, I try to establish a similarity or connection between them; in airplane chess, the same problem is calculated using subjective as well as objective. We can also consider, due to the lack of strong support for your claim that rolling a 6 is 1/12, it is considered a subjective estimate. Let’s assume you have observed this pattern for a very long period of time in different scenarios as well or something to make your statement true, I think we can consider it as an objective estimate. The same thing in the case of security risk management, If an organization constantly observes a pattern of incoming threats over a period of time, such as port scanning or IPS detecting intrusion patterns, we might increase the probability of successfully exploiting a vulnerability even if there isn’t an actual threat. Hence if a confirmation exists that these are not false positives or simply are valid, then it becomes an objective risk estimation else we consider it as a subjective risk estimate.
References:
OBJECTIVE RISK LEVELS AND SUBJECTIVE RISK PERCEPTION, Siegfried Streufert, Purdue University
https://apps.dtic.mil/dtic/tr/fulltext/u2/740812.pdf
https://thismatter.com/money/insurance/risk.htm
https://www.researchgate.net/publication/271752686_Risk_Objective_or_subjective_facts_or_values
https://www.wired.com/story/notpetya-cyberattack-ukraine-russia-code-crashed-the-world/
https://www.stakeholdermap.com/risk/risk-definition.html
On how to define, understand and describe risk, Terje Aven https://www.sciencedirect.com/science/article/pii/S095183201000027X