Click here to receive your FREE subscription to Campus Technology
Opinion
The Myth and Reality of Risk
7/25/2008
|
|
Government agencies do the same kind of quantitative risk analysis that we do in the security arena; risk is a combination of the probability of event and the undesirable consequences of the event. In the case of the EPA they were comparing the cost of implementing tighter pollution regulations versus the value of reducing pollution, in this case the number of lives saved times the value of each life, $6.9 million.
The details of these calculations can have important policy implications. For example, if a proposed regulation will cost an industry $15 billion to implement but will save 2,000 lives, the cost ($15 billion) outweighs the benefits ($13.8 billion) if we use the new "value of a statistical life." But if we use the old value, $7.8 million, the benefits ($15.6 billion) outweigh the costs.
Where did the $6.9 million value come from, and why did it change? The EPA figure didn't come from an individuals estimated earnings or societal value. (My spouse has assured me that I am worth more than $6.9 million.) It was based on what people are willing to pay to avoid risk as measured by how much extra employers pay workers to do more risky jobs. The actual value was the result combining two studies: one that came up with a value of $8.9 million and the other between $2 million and $3.3 million.
The variance in the two studies resulted from subtle differences between comparing risky jobs and comparing risky industries. I don't know about you, but I don't have warm and fuzzy feeling about the methodology or the fact that the answers varied by a factor of four. Neither did some of the members of the EPA's Science Advisory Board. According to Granger Morgan, chair of the Board and engineering and public policy professor at Carnegie Mellon University, "This sort of number-crunching is basically numerology."
Risk Management
That got me thinking about how we quantify risk as we do IT security. When we get to the final cost-benefit ratio everything may seem logical, but does it make sense, or is it just numerology?
Recommended Reading
- Georgia Tech Helps Develop Web-based Tool To Improve Blood Supply
The Georgia Tech College of Computing, working in partnership with the Centers for Disease Control and Prevention, has developed a Web-based tool for tracking blood safety. The program is expected to help developing countries improve the adequacy and safety of their national blood supplies through better monitoring and evaluation.
- Mississippi State Implements Reflex Virtual Management Center
Mississippi State University has implemented Reflex VMC (Virtual Management Center) from Reflex Systems. The application allows IT administrators to monitor a virtual infrastructure and enforce business and IT policies.
- Stanford Law School Launches IP Litigation Clearinghouse
The Law, Science & Technology Program at Stanford Law School has launched the Intellectual Property Litigation Clearinghouse (IPLC), an online database that offers comprehensive information about intellectual property (IP) disputes within the United States.
- Texas A&M Health Science Center Adopts Banner Administrative Management
The Texas A&M Health Science Center has selected the Banner Unified Digital Campus (UDC) from Sungard Higher Education to help unify its geographically-dispersed community and to enhance and expand services and communications to its growing student enrollment.
- NCCC: Data Cleansing Key To Managing Growth
Community colleges are in a good spot in some ways during the economic downturn, as tight family budgets drive up the appeal of the community college option. But along with the rest of higher education, most community colleges also face shrinking IT budgets and tighter resources. That makes it that much harder to handle the growing enrollment numbers that some community colleges are seeing.
- Finjan: Layoffs Could Drive IT People To Become Cyber-Criminals
Security vendor Finjan predicts that the current economic downturn could herald a sharp rise in cybercrime during 2009--driven by the rise in the number of IT people being laid off. According to a report from the company's Malicious Code Research Center (MCRC), more unemployed IT personnel will be tempted to seek "new and easy income by purchasing and using crimeware toolkits that are sold by professional hackers."
