Calculating Risk

In a recent article in Fortune magazine (part of a daily tech newsletter for the brand), reporter Robert Hackett covered off a seminar at a computer security conference where Michael Hayden, former head of the U.S. National Security Agency and the Central Intelligence Agency, divulged his formula for calculating risk:

Risk = Threat X Vulnerability X Consequence

Although Hackett says the equation is both a little vague and familiar to those in risk management, it can be used as a “useful shorthand for understanding the factors that expose systems to danger,” he wrote. “Nudge a little here, take a little there, and it gives you a sense for how a person might best manage their defenses.”

Hayden called for an increase in fortification and reduction in vulnerabilities. “That means maintaining firewalls, perimeter barricades, software patches, and good passwords. In other words, stop the bad guys from getting in. Reduce the attack surface. Fortify,” wrote Hackett.

Hayden said it is important to prepare for a hacker breach as a given, and that companies should know what information to protect and ensure the right people are getting access to information. “Authentication—validating identity—becomes key. What good is a wall, after all, if your adversary can open the gate from inside?” wrote Hackett.