- Financial: related to credit or investments such as loans, credit cards, or other financial obligations
- Legal: dealing primarily with breaking the law, whether local, federal, or international
- Human: accounting for the human element of a corporation, mainly HR-related
- Opportunity: taking a risk or pursuing an opportunity which could positively or negatively impact the business
Risk is truly the ultimate metric for security practitioners and managers alike. We've tried to model risk with equations, formulas, and frameworks over the past half-decade or so but we're still failing to fundamentally provide consistent answers to the same question.
"How much less likely are we to be hacked if we spend $X dollars on Y solution?"Your insurance company can tell you how much less likely you are to cost them money if you're a married male over the age of 25, versus an unmarried male under 25... but we in security have no such magic table of risk to speak from.
As I've stated, I know full-well there are some great risk model frameworks and formulas out there but at the end of the day... I don't know a single one that can answer the question, posed above. Is it because every business is different? Maybe it's because there are more factors than we can possibly factor into a cohesive formula and keep sanity... or maybe it's just that we simply don't understand risk in technology terms completely.
Take a look at your 2009 projects (if you have any, given the economic climate) and ask yourself... which of these reduces the business' risk profile the greatest, and by how much? I urge you to abandon trying to word-smith your projects into something your CIO will find acceptable (or at least scary) and focus on trying to come up with that all-important metric... risk. Instead of justifying your pet project by saying it will keep your company from making negative front-page news or losing millions of credit card records... Justify that project by saying that implementation of that project will decrease negative business risk by 20% (or whatever your number is)... and watch the reaction.
... now all you have to do is figure out that magic formula. Good luck.