{"id":286,"date":"2011-03-05T11:49:33","date_gmt":"2011-03-05T16:49:33","guid":{"rendered":"http:\/\/rud.is\/b\/?p=286"},"modified":"2017-03-27T09:39:26","modified_gmt":"2017-03-27T14:39:26","slug":"micropwns-risk-microprobabilities-for-infosec","status":"publish","type":"post","link":"https:\/\/rud.is\/b\/2011\/03\/05\/micropwns-risk-microprobabilities-for-infosec\/","title":{"rendered":"Micropwns :: Risk Microprobabilities for Infosec?"},"content":{"rendered":"
NOTE<\/b>: This is a re-post from a topic I started on the SecurityMetrics<\/span> & SIRA <\/span>mailing lists. Wanted to broaden the discussion to anyone not on those (and, why aren’t<\/i> you on them?)<\/div>\n

I had not heard the term micromort prior to listening to David Spiegelhalter’s Do Lecture<\/span> and the concept of it really stuck in my (albeit thick) head all week. <\/p>\n

I didn’t grab the paper yet, but the abstract for “Microrisks for Medical Decision Analysis<\/a><\/i>” seems to be able to extrapolate directly to the risks we face in infosec:<\/p>\n

“Many would agree on the need to inform patients about the risks of medical conditions or treatments and to consider those risks in making medical decisions. The question is how to describe the risks and how to balance them with other factors in arriving at a decision. In this article, we present the thesis that part of the answer lies in defining an appropriate scale for risks that are often quite small. We propose that a convenient unit in which to measure most medical risks is the microprobability, a probability of 1 in 1 million. When the risk consequence is death, we can define a micromort as one microprobability of death. Medical risks can be placed in perspective by noting that we live in a society where people face about 270 micromorts per year from interactions with motor vehicles.<\/p>\n

Continuing risks or hazards, such as are posed by following unhealthful practices or by the side-effects of drugs, can be described in the same micromort framework. If the consequence is not death, but some other serious consequence like blindness or amputation, the microrisk structure can be used to characterize the probability of disability.<\/p>\n

Once the risks are described in the microrisk form, they can be evaluated in terms of the patient’s willingness-to-pay to avoid them. The suggested procedure is illustrated in the case of a woman facing a cranial arteriogram of a suspected arterio-venous malformation. Generic curves allow such analyses to be performed approximately in terms of the patient’s sex, age, and economic situation. More detailed analyses can be performed if desired.<\/p>\n

Microrisk analysis is based on the proposition that precision in language permits the soundness of thought that produces clarity of action and peace of mind.”<\/p><\/blockquote>\n

When my CC is handy and I feel like giving up some privacy I’ll grab the whole paper, but the correlations seem pretty clear from just that bit.<\/p>\n

I must have missed Schneier’s blog post<\/a> about it earlier this month where he links to understandinguncertainty.org\/micromorts<\/a> which links to plus.maths.org\/content\/os\/issue55\/features\/risk\/index<\/a> (apologies for the link leapfrogging, but it provides background context that I did not have prior).<\/p>\n

At a risk to my credibility, I’ll add another link to a Wikipedia article<\/a> that lists some actual micromorts and include a small sample here: <\/p>\n

Risks that increase the annual death risk by one micromort, and their associated cause of death:<\/p>\n