An empirical test of the perceived relationship between risk and the constituents severity and probability

In methods and manuals, the product of an information security incident’s probability and severity is seen as a risk to manage. The purpose of the test described in this paper is to investigate if information security risk is perceived in this way, if decision-making style influences the perceived relationship between the three variables and if the level of information security expertise influences the relationship between the three variables.

Ten respondents assessed 105 potential information security incidents. Ratings of the associated risks were obtained independently from ratings of the probability and severity of the incidents. Decision-making style was measured using a scale inspired from the Cognitive Style Index; information security expertise was self-reported. Regression analysis was used to test the relationship between variables.

The ten respondents did not assess risk as the product of probability and severity, regardless of experience, expertise and decision-making style. The mean variance explained in risk ratings using an additive term is 54.0 or 38.4 per cent, depending on how risk is measured. When a multiplicative term was added, the mean variance only increased by 1.5 or 2.4 per cent. For most of the respondents, the contribution of the multiplicative term is statistically insignificant.

The inability or unwillingness to see risk as a product of probability and severity suggests that procedural support (e.g. risk matrices) has a role to play in the risk assessment processes.

This study is the first to test if information security risk is assessed as an interaction between probability and severity using suitable scales and a within-subject design.