For instance, would a particular security event be likely to happen in the next 30 years, even given everything the company is doing to prevent such an occurrence? If the answer is yes, you have a baseline to work with: 1 out of 30 years, or 3.33 percent. For large security incidents, such as reputational events, I'd at least go with this baseline. If you're a big company or a larger target or you lack the commitment and resources for such a big fight, maybe one incident every 5 to 10 years is more realistic.
Smaller events, such as malware infections, exploited servers, and availability issues, should be easier to base on historical evidence. When in doubt, bear in mind that these milestones are often measured in years versus decades.
Also note that events, large and small, aren't mutually exclusive. A small incident might lead to a reputational event, but since you don't know when that is likely to happen, you have to account for both. I get the distinct feeling that organizations handle the small items fairly well, but they don't account for the reputational-level happenings.
Beyond underestimating the probability of a security event, there's a tendency to underestimate the likely resulting damage. These costs can be just as difficult to calculate. Again, I'd start with broad ranges to help develop boundaries. For instance, how likely is a security event to result in $100 million worth of damage? At billion-dollar companies, that's a likely outcome over a 30-year period -- and should be accounted for as such.
IT security departments are no longer the gatekeeper, but perhaps we haven't done a good job of sharing the realistic likelihoods and probabilities. Heck, the last few years have been a wake-up call for us all, reminding us we need to evolve.
This story, "Get real about your security risks," was originally published at InfoWorld.com. Keep up on the latest developments in network security and read more of Roger Grimes's Security Adviser blog at InfoWorld.com. For the latest business technology news, follow InfoWorld.com on Twitter.