Probability & Likelihood in Risk Assessment

There was a concern raised in one of the Audit that ‘Probability’ keyword should not be used in the Risk Assessment because it is a mathematical term and if we use the term, then the value should be between 0 & 1. To elaborate further, if we use the term ‘Threat Probability’ then the value has to be based on the mathematical term.

However, ISO 27005:2008 clearly states (Section 3. Term & Definitions, sub-section 3.5 .risk estimation – Note 2) that ‘likelihood’ is used instead of ‘probability’ in the standard. This gives a clear indication that for the standard, probability & likelihood is the same and we may not worry about the mathematical meaning.

So what about your risk assessment methodology?, are you using the word ‘Probability’ or ‘Likelihood’. In my viewpoint both can be used as the standard clearly says that they are the same, hence we should look at the English meaning rather than the mathematical meaning while using this in the risk assessment.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s