Risk Analysis hit the headlines this week with the publication of the UK Government’s National Security Risk Assessment. The document lists the 15 most significant threats to the UK, broken down into 3 tiers according to priority.
Unsurprisingly, media attention focused on the ‘Tier 1’ threats and, in particular, the presence of international terrorism and cybercrime next to each other. Government spokespeople from the Home Secretary down were called upon to justify how a threat to people’s lives from terrorism could be equated with the financial impact of cybercrime.
Whilst it wasn’t explained very well over the airwaves; if you read the Government information about the National Security Risk Assessment the answer is clear. In common with many other risk assessments, it is based on multiplying likelihood and impact so it is quite feasible that the two threats – one commonplace but low impact and the other very infrequent but having very high impact – could be rated the same.
However, given the public reaction to this application of the likelihood and impact methodology; how valid is the use of the technique in other contexts?