Credibility, Not Likelihood

Risk = impact x likelihood is how most of us estimate cyber risk. This works well for low-impact, high-frequency (LIHF) events but badly for (HILF) scenarios. Likelihood implies and probability demands randomness, but neither HILF targeting nor outcomes are random. The concept of "credibility" is more useful for documents like NIST 800-30 for Risk Assessment. Credibility is defined as "what is reasonable to believe" (not who, what). The word lets us ask important questions like "what happens when we don't have budget to prevent all credible attacks with unacceptable consequences?" How would you even ask that question with “likelihood”? Eg: “What happens when we don’t have budget to address all low-likelihood attacks?” The question is meaningless - we can always imagine exotic attacks that will never occur and never should have budget assigned. In this presentation we explore a new way to think about cyber risk - credibility, capability, frequency, and other measures.