STUDIES ON SECURITY: STUDY 14. TO THE PROBLEM OF ANALYZING, DEFINING AND ASSESSING RISK – PRINCIPAL ADDITIONS

  These Studies on Security contain only the results of my scientific views, research, analyses and models. In other words, they provide a SUMMARY of my MAJOR contributions to the Science of Security.
  
  STUDY 14. TO THE PROBLEM OF ANALYZING, DEFINING AND ASSESSING RISK – PRINCIPAL ADDITIONS
  
  The main characteristics of the concept of „risk“ are analyzed. A new formula for risk assessment is proposed, which complements the generally accepted formula according to which risk is equal to the probability of the occurring a given destructive phenomenon multiplied by the consequences if this phenomenon occurs. The supplemented formula includes taking into account the vulnerability of the system and the risk management actions that have been taken by that system. An „Uncertainty Principle“ is also introduced in Riskology, analogous to Heisenberg's famous Uncertainty Principle in Quantum Mechanics. The coefficient with which the generally accepted formula for risk assessment and calculation is supplemented can be considered as an analogue of the Planck Constant in the Uncertainty Principle.

  The following monograph of mine is devoted to the derivation of a qualitatively new formula, that complements the traditional, generally accepted, formula for risk assessment and calculation:
  Николай Слатински. Рискът – новото име на Сигурността. София: Изток-Запад, 2019.
   [Nikolay Slatinski. Riskut – novoto ime na Sigurnostta. Sofia: Iztok-Zapad, 2019].
  Nikolay Slatinski. Risk – the new Name of Security. Sofia: Iztok-Zapad, 2019 (in Bulgarian)
  
  Risk, act risky, take risk, manage risk, generate risk and many similar expressions have long been included and are constantly present in our lexicon. This usually involves the expectation (and understanding) that:
  ∙ there are any factors affecting us and alleged future developments, as a result of which harm, damage, loss, inconvenience may be caused to us; or
  ∙ we choose behavior from which we would probably be harmed, likely to be injured, hurt, suffered, lost, incur unpleasant consequences, may be deceived and even played; or
  ∙ we are pressed against the wall, we are left with no choice, that is why we have to act somehow, no matter what it costs us, no matter what happens to us next; or
  ∙ the current state of affairs and the confluence of circumstances up to this point do not satisfy us, so we try to achieve at least some change.
  
  In this sense, risk invariably accompanies our lives, and by risk we mean, first of all, something negative, unwanted, unexpected or inevitable. And when our actions can result in positive, desired, attainable or sought-after consequences, then we speak of a chance.
  Risk and chance are two sides of the same coin. In our life, they are different, but also closely related concepts, because one is perceived as an alternative and negation of the other. But for most authors and in most, let's call them sciences of risk/risks, the basic concept is risk. It can have either a negative or a positive dimension (content, effect). In ordinary life, the negative dimension is usually called exactly that – „risk“, and the positive dimension is called „chance“.
  
  In recent years, all sorts of ideas and versions of what risk really is have been circulating. But who, if not science, is destined to streamline the abundance of definitions and give, if not a generally accepted definition of risk, then at least a system of definitions that have managed to capture the main essence, meaning and content of the category „risk“ and form a satisfactorily true and correct idea about it.
  
  To begin with, with a few examples, we will show a wide variety of definitions of risk.
  It is very instructive, however, to first read the following dismal confession:
  
   „When the Society for Risk Analysis was still very new, one of the first tasks it undertook was to set up a committee to define the word „risk“. This committee worked for 4 years and gave up, stating in its final report that it might be better not to define the risk. Let each author define it in his own way, only, if you like, each must clearly explain what that way is“ [1].
  
  Explanation:
  The Society for Risk Analysis (SRA) is a non-governmental organization with scientific and research objectives in the field of risk, founded in 1980. It is headquartered in McLean, Virginia, USA.
  
  And so:
  • According to the Bulgarian standard BDS ISO 31000:2018, „Risk management. Guidelines“:
  Risk is effect of uncertainty on the achievement of objectives (this is how is translated the expression: effect of uncertainty on objectives).
  
  Explanation:
  BDS ISO 31000:2018 „Risk management. Guidelines“ is the official version in Bulgarian of the international standard ISO 31000:2018 „Risk management – Guidelines“, identical to its English version and approved on February 28, 2018.
  ISO 31000 is a family of risk management standards that also includes:
  ISO/TR 31004:2013, „Risk management – Guidance for the implementation of ISO 31000“
  ISO/IEC 31010:2009, „Risk Management – Risk Assessment Techniques“
  ISO Guide 73:2009, „Risk Management – Vocabulary“.
  
  • According to the Russian standard ISO 31000:2018(E), „Risk Management – Guidelines“:
  Risk is effect of uncertainty on objectives.
  
  • According to Wikipedia, „Risk is the possibility of something bad happening. Risk involves uncertainty about the effects/implications of an activity with respect to something that humans value (such as health, well-being, wealth, property or the environment), often focusing on negative, undesirable consequences“ [2].
  
  • According to the German authors Ortwin Renn (1951) and Bernd Rohrmann: „Risk can be understood as the possibility that human actions, situations or events might lead to consequences that affect aspects ofwhat humans value“ [3].
  
  • According to the Danish Emergency Management Agency (DEMA): „Risk is a product of the likelihood of an incident (a materialized threat) and its possible consequences. However, both likelihood and consequences are affected by the vulnerabilities within the system the threat is directed against“ [4].
  Explanation:
  Danish Emergency Management Agency, DEMA (Danish: Beredskabsstyrelsen) – a government agency under the Ministry of Defence.
  
  • Society for Risk Analysis (SRA) offers such definitions of risk from the point of view of qualitative assessments:
  › Risk is the possibility of an unfortunate occurrence;
  › Risk is the potential for realization of unwanted, negative consequences of an event;
  › Risk is exposure to a proposition (e.g., the occurrence of a loss) of which one is uncertain;
  › Risk is the consequences of the activity and associated uncertainties;
  › Risk is uncertainty about and severity of the consequences of an activity with respect to something that humans value;
  › Risk is the occurrences of some specified consequences of the activity and associated uncertainties.
  
  • Other definitions of risk:
  › Risk – contingencies or dangers that have a possible but not inevitable character and can become causes of damage.
  › Risk – possible danger of some unfavorable outcome [6].
  › Risk – the potential for damage or loss of an asset. The level of risk is a condition of two factors: (1) the value placed on the asset by its owner and the consequence, impact, or adverse effect of loss or change to the asset; (2) the likelihood that a specific vulnerability will be exploited by a particular threat [7].
  › Risk – the uncertainty of future outcomes due to the uncertainty of that future itself [8].
  › Risk – discrepancy between predicted and actual results [9].
  › Risk – the probable frequency and probable magnitude of future loss [10].
  › Risk – the probability or threat of quantifiable damage, injury, liability, loss, or any other negative occurrence that is caused by external or internal vulnerabilities, and that may be avoided through preemptive action [11].
  › Risk – the unwanted subset of a set of uncertain outcomes [12].
  
  As has already become clear, there are many and very different definitions of risk.
  The concepts that are usually and most often intertwined in these definitions are:
  • Uncertainty;
  • Probability;
  • Vulnerability;
  • Activity;
  • Effect;
  If we think of risk as something destructive, we can talk about Loss.
  • Objectives.
  Let's call the complex of these 6 concepts the Risk Definition Complex.
  
  Each of these words (concepts) is largely accepted in English-language studies.   There are, however, other similar words (concepts) that in one context or another can be used and have been used. Here are some similar examples:
  • Ambiguity;
  • Likelihood;
  • Weakness;
  • Operation;
  • Outcome (Damage);
  • Goals.
  
  Some clarifications are necessary.
  
  → We are talking about Activity. To simplify the wording, we can also use „Safeguards“, but Safeguards is one idea narrower than Activity (because maybe nothing was done, i.e. no safeguards were taken; lack of activity is also activity, while the same cannot be said for safeguards).
  
  → We are talking about Effect. In translations in Russian and Bulgarian, is used both influence – „influence of uncertainty on objectives“, and impact – „impact of uncertainty on objectives“.
  The common understanding is that influence and impact are interchangeable. However, Science of Security makes some distinction between them.
  
  Influence – it is used when something (phenomenon, process) exists objectively and by the very fact of its existence affects a person or system, in particular, on their objectives.
  The situation as a whole is static, we are talking about static – something exists and it influences by its existence.
  
  Impact – it is used when something (phenomenon, process) exists objectively and affects the person or the system by prompting them (inducing them, pushing them) to act, in particular, in relation to their objectives.
  The situation as a whole is dynamic, we are talking about dynamics – something exists and with what it does, it affects.
  
  We are talking about the effect of uncertainty – the main thing is that there is uncertainty (unknownness, indeterminacy, ambiguity, insecurity) and there is an effect of this uncertainty. It is quite another question whether this uncertainty affects a person or a system and thereby changes their objectives by the very fact of its existence (passively irradiating them, stimulating them); or it affects a person or a system by making them do something (actively prompting them, inciting them) and thus changing their objectives. First of all, the effect is important, only then comes the question of whether it is a passive influence or an active impact.
  
  And another important thing: influence or impact is primarily the process itself, while effect says more about the final result, and the final result is determined not by uncertainty, but by our actions as a result of it and because of it.
  
  Risk is not a one-time act. Risk is directly related to the developing Process, and therefore the Risk develops along with the Process in time, having its own past, its own present and its own future. This time span can be characterized as follows:
  › past – period before the realization of the risk;
  › present – period during the realization of the risk;
  › future – period after the realization of the risk.
  
  Let's consider the concepts from the formulated above Risk Definition Complex.
  ● Two of these concepts, namely Uncertainty and Probability, to a very significant extent manifest themselves (come onto the scene) before the realization of the risk.
  ● Two of these concepts, namely Vulnerability and Activity, to a very significant extent manifest themselves (come onto the scene) during the realization of the risk.
  ● Two of these concepts, namely Effect and Objectives, to a very significant extent manifest themselves (come onto the scene) after the realization of the risk.
  
  At the input we have the following:
  • System, which is managed; and
  • Process (Process) that is being implemented and which can in some way (negatively or positively) change the functioning of the System.
  
  At the output we have the following:
  • Resilience of the System; and
  • Efficiency of the System management.
  
  Again, one clarification is necessary.
  The concepts of Effectiveness and Efficiency are often confused in Bulgarian and Russian. And there are reasons for that.
  Effectiveness is the ability to achieve goals with available resources – with the implication that it can be done with suboptimal, non-optimal use of resources.
  Efficiency is the ability to optimize the ratio of goals and resources. It is understood that this – the achievement of optimal goals – can be done with the optimal use of resources.
  If we shoot sparrows with artillery to save the crops, we are effective (achieving our goal), but not efficient (using disproportionate and expensive resources).
  
  Efficiency optimizes the ratio of goals and resources. This happens:
  1. by maximizing the numerator (as big goals as possible with available resources);
  2. by minimizing the denominator (given goals with as few resources as possible);
  3. by maximizing the numerator and minimizing the denominator (as big goals as possible with as few resources as possible).
  
  In cases 1 and 2, the system can be called rational.
  In case 3, the system can be called efficient.
  Therefore, efficient, i.e. the best strategizing and goal-achieving system is the one in which the maximum goals are achieved with the minimum resources.
  
  When we talk about effectiveness, we emphasize goals (doing the right thing); when we talk about efficiency, we emphasize both goals and resources (doing the right thing in the right way).
  In the risk management, from a practical point of view, efficiency means that the system is managed not only effectively, but also as rationally as possible – i.e. we strive to achieve goals and try to do so with the best possible goals/resources ratio. In other words, we strive to do as many of the right things as possible and to do them in as many of the right ways as possible.
  This practically means that:
  
  efficiency = rationalitymax.
  
  However, we must be aware that the theoretically ideal situation of doing the right things in the right way is very difficult to achieve in practice.
  
  The number of basic concepts related to the scientific category of risk has increased to 10!
  We'll sort them out again:
  System;
  Process;
  Uncertainty;
  Probability;
  Vulnerability;
  Activity;
  Effect;
  Objectives;
  Resilience;
  Efficiency
  
  We can then write the following generalized formula of the risk for the system as a function of the existing uncertainty and the objectives of that system:
  
  R = F(U,O) (1)
  
  Here
  R – risk;
  F – function;
  U – uncertainty;
  O – objectives.
  
  That's why:
  Formula (1) can be expressed as follows:
  
  R = (P x E) x (V / A) (2)
  
  Here
  P – probability;
  E – effect;
  V – vulnerability;
  A – activity.
  
  In other words:
  
  R[risk] = (P[probability] x E[effect]) x (V[vulnerability]/A[activity]) (3)
  
  What actually follows from here?
  
  If
  the traditional, generally accepted, usual formula, passing from book to book and from textbook to textbook, has the form:
  
  R = (P x E) (4)
  
  in other words, the risk is equal to the probability multiplied by the impact,
  
  than
  in our formula, the traditional result for risk R, namely (P x E), is multiplied by a coefficient K, whose numerator is vulnerability and whose denominator is the activity undertaken.
  
  Therefore, the coefficient K is directly proportional to vulnerability (V) and inversely proportional to activity (A).
  
  К = V / A (5)
  
  And so:
  The traditional, generally accepted, usual formula for risk assessment and calculation is:
  
  R = (P x E)
  
  The new, supplemented (generalized) by us formula for risk assessment and calculation is:
  
  R = (P x E) x K
  
  The larger V, i.e. the greater the vulnerability, the greater the K and, accordingly, the greater the risk.
  At V = 0, i.e. zero vulnerability (a theoretical construct), the risk is 0, and at V = +∞, i.e. infinite (extremely large) vulnerability, the risk is +∞, i.e. infinite (extremely large).
  The greater A, i.e. the more successful the measures, the smaller the K and, accordingly, the lower the risk.
  At A = 0, i.e. extremely unsuccessful measures, the risk is +∞, i.e. infinite (extremely large), and at A = +∞, i.e. extremely successful measures, the risk is 0.
  
  These formulas should not be taken literally. The sign of multiplication should be considered more as an accumulation of the contributions of the individual quantities (concepts), as their joint influence. Just as the Americans Stanley Kaplan (1919 – 2009) and B. John Garrick (1930 – 2020) wrote that instead of saying „risk is probability times consequence“, we should rather say „risk is probability and consequence“ [13].
  And formula (2) should rather be understood that risk is probability and vulnerability and effect in terms of (taking into account) the activities undertaken.
  
  Which means that formula (2) „tells“ us the following:
  Risk increases as probability, vulnerability and effect increase and decreases with successful measures taken to manage it.
  
  Risk precedes crisis, failure to counteract risk can lead to a crisis. At its core, risk management is much more often pre-crisis and/or anti-crisis managementр and much less often it is crisis management.
  
  Risk goes with uncertainty. Uncertainty is key to it, but uncertainty is not the whole risk. Otherwise, with so much, so great and so often occurring uncertainty, our existence would be a risk, it would be risky, it would be walking on the edge of risk.
  But at the same time, yes – we cannot but admit and swallow that less and less of our existence remains outside the risk zone.
  
  Along with that, risk is a probability category. Probability exists objectively or subjectively; the fact that it very often cannot be precisely determined does not mean that it does not exist or that it is nothing but uncertainty. There is uncertainty and uncertain and sometimes indeterminate probability, but still probability!
  
  Stanley Kaplan and John Garrick argue that the concept of risk includes both uncertainty and some loss or damage that can be received. Symbolically, according to them, this can be written as:
  
  Risk = Uncertainty + Damage (6)
  
  On the other hand, again according to them, if hazard is „a source of danger“ and risk is „possibility of loss or injury“ and „degree of probability of such loss“, then we can write[14] :
  
  Risk = Hazard/Safeguards (7)
  
  Examining Kaplan and Garrick's formulas (6) and (7), as well as carefully analyzing their already cited publication, in our opinion, although conditional, formula (6) is insufficiently accurate. Rather, in the context of the concepts so described by Kaplan and Garrick, this formula should be rewritten as follows:
  
  Hazard = Uncertainty + Damage (8)
  
  In this way, as we can easily see, Kaplan and Garrick are very close to our formula (2), which, expressed in terms of their concepts, unites the formulas derived by them and, therefore, could be written like this:
  
  Uncertainty = Probability + Vulnerability;
  Hazard = Uncertainty + Damage = Probability + Vulnerability + Damage.
  
  Therefore:
  
  Risk = Hazard/Safeguards = (Probability + Vulnerability + Damage)/Safeguards;
  
  This formula – already in the terms we use here – can be rewritten as follows (taking into account the conditionality of the mathematical signs „+“ and „x“):
  
  Risk = (Probability x Vulnerability x Effect)/Activity;
  
  or
  
  R = (P x V x E)/A.
  
  And this, as can be seen immediately, is our formula (2)!
  
  Kaplan and Garrick's formula (with the correction of the inaccuracy admitted by them in formula (6))
  and
  formula (2)
  coincide, with this difference that with Kaplan and Garrick everything is more arbitrary and conditional, while our formula (2) is far more logical, comprehensive and it adequately represents the meaning of the category „risk“ and its qualitative, and why not and in many cases quantitative determination.
  
  Due to the extreme importance of what we propose as a more accurate and correct, truer and more adequate formula for risk assessment and calculation, we will do one more thing for the sake of greater clarity and neatness.
  
  Let's combine once again the formulas (1) and (2) to determine the risk:
  
  R = F (U,O) = (P x E) x (V / A) (9)
  
  This gives us everything we need to understand and define what risk is:
  
  Risk is a function of uncertainty and objectives and is directly proportional to probability, vulnerability and impact and inversely proportional to activity.
  
  „Function of uncertainty and objectives“ means the entire sequence of events, impacts and results that began with uncertainty, went through the entire realized process and ended with the objectives or changes imposed on them.
  
  According to the ISO standard, risk is „effect of uncertainty on the achievement of objectives“ (in Bulgarian), „effect of uncertainty on objectives“ (in Russian and, of course, in English).
  Undoubtedly, such definitions can be used, moreover, they cannot be avoided, although, when formulated in this way, they leave the impression that there is some kind of uncertainty that directly influences/impacts the objectives. But as we have seen, the case is much more complicated, there is a whole chain of conditions and events that are closely and inextricably linked with each other, so a whole parade of concepts is taking place!
  It is, we agree, too tempting to put simply and plainly: influence/impact of uncertainty on (the achievement of) objectives. But to say this is possible and true only if it is used as a metaphor, as a reflection of the main thing in terms of risk. But the devil, as always, is in the details! And without these details, the phrase „influence/impact of uncertainty on (the achievement of) objectives“ can „hang“ in the air, deflate like a balloon deflates, and remain without content.
  
  It is permissible to some extent to use only two concepts – uncertainty and objectives – only if we do not forget that when studying the phenomenon of risk we are talking not about 2, but about 10 concepts, which, to summarize, are distributed as follows:
  
  Δ Two concepts at the input of the phenomenon Risk:
  ● System;
  ● Process.
  
  Δ Two concepts before the realization of the phenomenon Risk.
  ● Uncertainty.
  ● Probability.
  
  Δ Two concepts during the implementation of the phenomenon Risk.
  ● Vulnerability.
  ● Activity.
  
  Δ Two concepts after the realization of the phenomenon Risk.
  ● Effect.
  ● Objectives.
  
Δ Two concepts at the output of the phenomenon Risk:
  ● Resilience;
  ● Efficiency.
  
  Here is the diagram of the whole „chain“:
  
   (System, Process) --> (Uncertainty, Probability) --> (Vulnerability, Activity) --> (Effect, Objectives) --> (Resilience, Efficiency).
  
  And here, once again, is the formula of this „chain“, which exhausts the entire definition of risk:
  
  R = F(U,O) = (P x V x E)/A.
  
  In other words, we have the transition:
  
  S,P  R  Re,Ef (10)
  
  i.e. from the input concepts System (S) and Process (P), through Risk (R), to the output concepts Resilience (Re) and Efficiency (Ef).
  
  The sheer number of formulas makes it difficult to understand risk. But the very concept of risk management looks a bit like an oxymoron and contains some nonsense. The magic and why not the curse of risk is that it, if it really is a risk and not just something annoying, it can't be 100% managed. If it could be always and completely managed, what risk would it be other than something undesirable that we know about and want to eliminate?
  
  This gives rise to various interpretations such as the following:
  „There is no such thing as risk in reality. Risk is a way - or rather, a set of different ways - of ordering reality, of rendering it into a calculable form. It is a way of representing events so they might be made governable in particular ways, with particular techniques, and for particular goals. It is a component of diverse forms of calculative rationality for governing the conduct of individuals, collectivities and populations. It is thus not possible to speak of incalculable risks, or of risks that escape our modes of calculation, and even less to speak of a social order in which risk is largely calculable and contrast it with one in which risk has become largely incalculable“ [15].
  
  And the picture is complicated by thinking that risk is always a bad thing. We can remind ourselves a thousand times that a positive risk is called a chance, but something in us will always resist thinking of a positive risk as a risk. This thinking is like a boomerang and it returns with an unpleasant force to our new and most important formula (2).
  
  At first glance, formula (2):
  
R = (P x E) x (V / A)
  
  contains a serious weakness!
  
  „V“ is in the numerator, therefore, the larger V, i.e. the greater the vulnerability, the more the risk increases, and the smaller V is, i.e. the smaller the vulnerability, the more the risk decreases. However, this is the case for the negative value of risk, i.e. about risk as ... risk. But for the positive value of risk, i.e. for risk as chance, it turns out that with greater vulnerability, the chance increases, and with less vulnerability, the chance decreases. Which is absurd! With the chance, if the vulnerability is greater, then the chance decreases, and if the vulnerability is less, then the chance increases.
  „А“ is in the denominator, therefore, if the measures are successful, the risk is decreased, and if the measures are not successful, the risk is increased. However, this again refers to a negative risk value, i.e. about risk as ... risk. But for a positive risk value, i.e. for risk as chance, it turns out that with more successful measures, the chance decreases, and with more unsuccessful measures, the chance increases. Which is also absurd! With the chance, if the measures are more successful, then the chance increases, and if the measures are more unsuccessful, then the chance decreases.
  
  What to do?
  There are two options for solving this serious problem.
  
  The first option is for risk as chance to move „V“ in the denominator and to move „А“ in the numerator. Then the larger V is, i.e. the greater the vulnerability, the more the chance will decrease, and the smaller V, i.e. the smaller the vulnerability, the more the chance will increase.
  At the same time, the larger A is, i.e. the more successful the measures, the more the chance will increase, and the less A, i.e. the more unsuccessful the measures, the more the chance will decrease.
  The formula in this variant has the form:
  
  R = (P x E) x (A / V) (11)
  
  So when it comes to risk as chance, this formula can be written as:
  
  C[chance] = (P x E) x (A / V) (12)
  
  The problem is that formula (2) and formula (12) are different for risk as risk and for risk as chance. And it introduces quite a lot of noise into the system.
  
  The second – far more reasonable – option is if we want to keep formula (2) unchanged, i.e. „V“ should remain in the numerator and „А“ should remain in the denominator.
  In this case, it is necessary to accept the convention that V and A have negative signs, i.e. their values are negative. So the quotient (V/A) remains positive.
  Then the larger V, i.e. the more the vulnerability increases, the more the chance decreases; and the smaller V, i.e. the more the vulnerability is reduced, the more the chance increases.
  And the smaller A, i.e. the more unsuccessful the measures taken, the more the chance decreases, and the larger A, i.e. the more successful the measures taken, the more the chance increases.
  As mathematicians say – what had to be proved!
  
  The convention in question is not weird or finger-sucking, just to save our proposed formula (2)!
  It is logical.
  
  After all, chance is the opposite of risk. More precisely, risk as risk is the negative value of the category „risk“, and risk as chance is the positive value of this category.
  Therefore, it is natural that when we talk about a chance, then both vulnerability and the measures taken should be considered – in the conditional units of our formulas – with a negative sign.
  We know perfectly well that vulnerability increases risk but decreases chance, and successful measures taken reduce risk but increase chance!
  
  If we think about it, to assume that in the chance vulnerability will have a negative sign means that we are not actually using the vulnerability, but its opposite, i.e. resilience.
  Similarly, to assume that in the chance the measures taken will have a negative sign means that we are actually looking not for measures to reduce the risk, but for measures to increase the chance, i.e. not precautionary measures, but stimulating measures.
  Accordingly, when the sign of the stimulating measures is changed from minus to plus, then the stimulating measures actually become worsening (destructive) measures, which naturally reduce the chance when increasing, and logically increase the chance when decreasing.
  
  And so:
  The formula for the second option remains the same for chance C as for risk R:
  
  C = (P x E) x (V / A)
  C = (P x E) x K and K = V / A
  
  We must point out explicitly and categorically that this „alchemy“ was made with only one understandable and natural goal – that formula (2) has a common form for both risk (R) and chance (C). And in fact, it is extremely clear and completely logical that in 99% of the cases when the risk is calculated in this way, both in the scientific literature and in the practical tasks, it is about the risk precisely as ... risk.
  
  Undoubtedly, the question arises – why is all this necessary to introduce a supplemented (generalized), augmented (generalized), but in fact a qualitatively new formula for risk?
  
  We will try to explain why, although it should be obvious to specialists.
  Although obviously it's not... obviously.
  
  The traditional, general, conventional formula
  
  R = (P x E)
  
  that is, the risk is equal to the probability [for a given destructive phenomenon to occur] multiplied by the effect, i.e. by the consequences [if this phenomenon occurs]
has a very serious weakness, which our supplemented (generalized) formula
  
  R = (P x E) x K
  
  succeeds to a significant extent in minimizing
  
  What is this weakness?
  This weakness is that the formula
  
  R = (P x E)
  
  actually equates two types of risks:
  
  ‣ one type of risks is when the probability P is very high (tends to 1) and the effect E (consequences) is very low (in conditional units it tends to 0);
  ‣ another type of risk is when the probability P is very low (tends to 0), and the effect (consequences) E is very high (in conditional units it tends to 1000).
  
  Mathematically, these two types of risks in the formula
  
  R = (P x E)
  
  are reflected identically (the same result is obtained) and this formula actually does not care which of the two risks it is dealing with.
  
  But these are completely different risks!!!!
  The four exclamation marks here are not accidental...
  
  If
  one risk has
  Probability P = 0.999 and Effect E = 1; and
  another risk has
  Probability P = 000.1 and Effect E = 999,
  then, since the product P x E
  for the first risk 0.999 x 1 = 0.999; and as well
  for the second risk 0.001 x 999 = 0.999,
  we get that the magnitude (value) of the two risks is the same.
  
  Therefore, it follows that these two risks are identical in magnitude (value).
  But this is not the case at all!
  
  ‣ the first type of risks are absolutely negligible, therefore they can be ignored;
  but
  ‣ the second type of risks, although with extremely low probability, cannot help but be a cause of really great concern, since if they nevertheless materialize, their consequences can be catastrophic.
  
  We cannot have the same attitude towards
  ‣ a risk that is extremely probable but has negligible consequences (i.e. belongs to the first type of risks);
  and to
  ‣ a risk that is too unlikely, but with huge consequences (i.e. it belongs to the second type of risks);
  although the traditional, general, conventional formula
  P = (P x E)
  gives the same results for them when calculating their magnitudes.
  
  We will give an example just to illustrate the above.
  The Struma River flows through our hometown of Pernik. Not far from the city there is the Studena dam.
  With the onset of spring, very often the waters of the river rise and strongly go out of the bed, and the influx of groundwater breaks into the basements of the blocks along the river, and sometimes above the floors of these basements float jugs, jars or various things left there.
  Whether this will happen and what the consequences will be if it happens is the risk that worries the residents of these houses.
  For this risk, we have a very high probability (frequency) P and (yet) a very small effect (consequences) E – insofar as the materialization of the risk creates some discomfort for people from their flooded basements.
  On the other hand, there is a risk of the dam wall breaking, or at least the water overflowing the dam wall and rushing down the valley all the way to the town of Pernik, causing serious damage to the townspeople.
  For this risk, we have a very small (almost zero, but not zero) probability (frequency) P and an inevitably a very large, extremely severe and even catastrophic effect (consequences) E.
  
  Yes, but according to the traditional, generally accepted, familiar formula for assessing and calculating risk
  
  R = P x E
  
  the magnitude (value) of these two risks is practically the same!
  
  If, however, we ask the inhabitants of the city of Pernik, if they think that these are two very similar risks, they will, of course, categorically deny and even laugh at the very fact that such a thought could have occurred to anyone!
  
  After these explanations, we can now give the following definition of risk:
  
  Risk for the system means (it can be defined as)
  the existence (generation) of a process realized under conditions of uncertainty,
  which, with a probability to be estimated, is in a state,
  taking advantage of the vulnerability of the system
  and despite (or as a result of) the undertaken in relation to it activity,
  to create (to lead to) a general (cumulative) effect on the objectives of this system,
  thus, the resilience of the system is thereby tested (put under control) and its efficiency is established (checked).
  
  For more operational handling, the following shorter definition can be used:
  
  Risk is a process realized under conditions of uncertainty, which with a certain probability can, taking advantage of the vulnerability of the system and as a result of the activity undertaken in relation to it, generate a general effect on the objectives of this system, thus the resilience of the system is tested and its effectiveness is established.
  
  With this approach, risk can be considered for any situation, or at least for the vast majority of different situations, in different areas of human activity, as well as in different independent theoretical approaches to this basic concept.
  
  Let us emphasize for clarity that:
  • Risk, this for us will be a process or action that can have a positive or negative effect with determinable probability and consequences.
  • We will define risk as an effect realized in the conditions of uncertainty (in the sense of indeterminacy, unknownness, ambiguity, insecurity) on the objectives of the system (state, corporation, society, community, individual).
  • The risk is measured by the probability of its realization and the consequences (if it is realized), taking into account the vulnerability contributing to its realization and the measures taken to influence its realization.
  • Usually, a risk that would lead to positive consequences, benefits, gains or profits (the positive risk) is called chance, and a risk that would lead to a negative consequence, damage, harm or loss (the negative risk) is called risk.
  • The risk R is estimated and calculated in accordance with the formula:
  R = (P x E) x (V / A),
where
  P is the probability that the risk will occur (materialize);
  E is the effect (consequences), if the risk occurs (materializes);
  V is the vulnerability of the system in relation to risk;
  A is the activity of the system (measures and actions taken by the system) in relation to the risk.
  
  Addition:
  In 1927, German physicist, winner of the Nobel Prize in Physics (1932) Werner Heisenberg (1901 – 1976) formulated the famous Uncertainty Principle in Quantum Mechanics, according to which it is impossible to simultaneously determine the position and momentum of the electron.
  Explanation:
  Momentum in physics is a quantity representing the product of the body's mass and its velocity.
  
  We will add that:
   „Heisenberg’s principle and other aspects of Quantum Mechanics undermine the notion that the universe obeys strict laws of cause and effect. undermine the notion that the universe obeys strict causal laws. Chance, indeterminacy, and probability took the place of certainty. When [the brilliant German physicist, Nobel Prize winner in physics (1921) Albert] Einstein [1879-1955] wrote him a note objecting to these features, Heisenberg replied bluntly, „I believe that indeterminism, that is, the nonvalidity of rigorous causality, is necessary.“ This inability to know a so-called „underlying reality“ meant that there was no strict determinism in the classical sense“ [16].
  
  Quantum Mechanics shatters everything that human experience has given us so far and goes against the understandings born of common sense. It turns out that the observer affects the process he observes! Moreover, the electron seems to know that we are watching it, and it seems to decide on its own to do as we think it ought to do. It is indeed hard to believe that the result of the observation depends on the observer, just as it is hard to believe that the observed particle seems to have free will to make independent choices in its behavior!
  
  If we replace the particle, the position of the particle and the momentum of the particle with risk, the probability of occurrence of risk and the effect (consequences) in case of occurrence of risk, we can formulate also the „Uncertainty Principle“ in relation to risk, and more generally in Riskology (the science of identifying, analyzing, assessing and managing risks):
  
  It is impossible to simultaneously determine the exact probability that the risk will occur (materialize) and the exact effect if the risk occurs (materialize).
  
  This means that the more precisely we can calculate the probability that a risk will occur, the more imprecisely we can measure the effect if the risk does occur; and the more precisely we can measure the effect if the risk occurs, the more imprecisely we can calculate the probability that the risk will occur.
  
  If we continue the analogy with the Uncertainty Principle, then we will not only come to the conclusion that the observer, or more precisely the person (or unit) who is responsible for risk management, influences the process he observes, i.e. manages it, and something more – as if the risk knows that we manage it, and decides act in the way that we think it is obliged to act. This means that not only the result of risk management depends on the person who manages it, but also the managed risk itself, as if it has free will to make independent choices regarding its action!
  
  But, as one advertisement said, that's not all! Because in the Uncertainty Principle in Quantum Mechanics, one quantity appears – the so-called Planck Constant.
  
  Explanation:
  Planck Constant – a fundamental constant in Quantum Mechanics:
  h = 6.62607040(81) x 10-34 J.s.
  J – joule, a unit for measuring energy, as well as work and amount of heat, named after the English physicist James Joule (1818 – 1889);
  s – second.
  
  Planck Constant is named after the German physicist, Nobel Prize winner in physics (1818) Max Planck (1858 – 1947).
  Often used is the reduced Planck Constant ħ, also called the Dirac Constant, named after the English physicist and Nobel Prize winner (1933) Paul Dirac (1902 – 1984)
  ħ = h/2π = 1.054571800(13) x 10-34 J.s.
  
  The Uncertainty Principle formulated by Heisenberg can be understood without even understanding all the details of Quantum Mechanics.
  If ∆x is the standard deviation, which determines the position x of the particle, and ∆p is the standard deviation, which determines the momentum p of this particle, then we have the relationship:
  ∆x.∆p ≥ h/4π = ħ/2.
  
  Or however close to zero ∆x (or ∆p), i.e. no matter how precisely we determine the position of the particle (or its momentum), the other quantity ∆p (or ∆x), i.e. determining the momentum (or position) of the particle will turn out to be such that their product ∆x.∆p will be greater than or equal to h/4π or ħ/2.
  
  This Planck (or Dirac) Constant is amazing!
  It „does not allow“ the simultaneous accurate enough determination of both the position of the particle and its momentum!
  
  Let's return to the „risk“ analogies with the Uncertainty Principle.
  
  Let's once again take the formula (2) supplemented (generalized) by us for determining the risk:
  
  R = (P x E) x (V / A)
  
  In this formula, the coefficient K was introduced, which is directly proportional to the vulnerability V and inversely proportional to the activity A:
  
  К = V / A
  
  Therefore:
  
  R = (P x E) х К.
  
  The coefficient K, because of which our supplemented (generalized) formula for risk
  
  R = (P x E) х К
  
  differs from the traditional, general, conventional formula
  
  R = P x E
  
  could (not being a constant) be considered as ... an analogue of Planck Constant   in the Heisenberg Uncertainty Principle!
  
  What does that mean?
  
  If
  ∆P is the standard deviation that determines the probability P that the risk will occur (materialize);
  and
  ∆E is the standard deviation by which the effect E is determined if the risk occurs (materializes);
  then we can say that:
  
  ∆Р.∆Е ≥ К.
  
  In other words, the product of the standard deviation ∆P, by which we determine the probability P that the risk will occur, and the standard deviation ∆E, with which we determine the effect E if the risk occurs, cannot fall below (in conditional units) the quotient of the vulnerability V of the system in relation to risk and activity A of the system in relation to risk.
  This means that no matter how close ∆P (or ∆E) is to 0, i.e. no matter how precisely the probability P of the occurrence of the risk (or the effect E, if the risk occurs) is determined, another value ∆E (or ∆Р) – i.e. the determining of the effect E if the risk occurs (or the probability P that the risk occurs) will be such that their product ∆P.∆E will be greater than or equal to the ratio of the vulnerability V to the risk and the measures A taken in relation to the risk.
  
  We found that the coefficient K (K = V / A) is also an amazing quantity. It „does not allow“ simultaneous, sufficiently accurate determination of both the probability P that the risk will occur and the effect E if the risk occurs.
  
  
  
  References:
  1. Cline, Preston B. The Etymology of Risk, 2004, р. 3.
  2. http://en.wikipedia.org/wiki/Risk.
  3. Renn, Ortwin, Bernd Rohrmann. Risk Perception Research – An Introduction. – In: Renn, Ortwin, Bernd Rohrmann (eds.). Cross-Cultural Risk Perception. A Survey of Empirical Studies. Dordrecht, Netherlands: Springer Science+Business Media, 2000, 11 – 54, p. 14.
  4. Danish Emergency Management Agency. DEMA’s Approach to Risk and Vulnerability Analysis for Civil Contingency Planning, October, 2009, p. 4.
  5. Society for Risk Analysis Glossary. https://www.sra.org/wp-content/uploads/2020/04/SRA-Glossary-FINAL.pdf, р. 4.
  6. Риск (Risk) – это. http://economic-definition.com/Business/Risk_Risk__eto.html.
Risk (Risk) – это. http://economic-definition.com/Business/Risk_Risk__eto.html.
(Risk is) (in Russian)
  7. U.S. Department of Energy Office of Energy Assurance. Energy Infrastructure Risk Management Checklists for Small and Medium Sized Energy Facilities. 2002, www.esisac.com/publicdocs/assessment_methods/Risk_Management_Checklist_S..., p. 25.
  8. Диев, Владимир. Философская парадигма риска. – В: Всероссийский экономический журнал, 2008, № 12, 27 – 38, https://cyberleninka.ru/article/n/filosofskaya-paradigma-riska, с. 32.
  Diev, Vladimir. Filosofskaya paradigma riska. – V: Vserossiyskiy ekonomicheskiy zhurnal, 2008, № 12, 27 – 38, https://cyberleninka.ru/article/n/filosofskaya-paradigma-riska, с. 32.
   (Diev, Vladimir. Philosophical paradigm of risk.) (in Russian)
  9. Костин, Юрий. Инструменты анализа и оценки рисков, http://www.risk-manage.ru/conference/material/.
  Kostin, Yurii. Instrumenty analiza I ocenki riskov, http://www.risk-manage.ru/conference/material/.
   (Kostin, Yuri. Risk analysis and assessment tools.) (in Russian)
  10. Jones, Jack. Bald Tire. Understanding the Need to Move Information Risk Management from Art toward Science. White Paper, http://www.risklens.com/hubfs/Resource_Center/The_Bald_Tire_Scenario_Whi..., р. 4.
  11. In previous versions of the text in wikipedia, https://www.openriskmanagement.com/why-is-risk-so-poorly-defined/.
  12. Luetge, Christoph, Eberhard Schnebel, and Nadine Westphal. Risk Management and Business Ethics: Integrating the Human Factor. 37 – 62, in: Klüppelberg, Claudia, Daniel Straub, Isabell M. Welpe (edts.). Risk – A Multidisciplinary Introduction, Springer International Publishing Switzerland, 2014, p. 45.
  13. Kaplan, Stanley, B. John Garrick. On the Quantitative Definition of Risk.//Risk Analysis, 1981, Vol. 1, No. 1, https://static1.squarespace.com/static/54628adae4b0f587f5d3e03f/t/54c1df..., p. 7.
  14. Ibid., p. 2.
  15. Dean, Mitchell. Risk, Calculable and Incalculable. 131 –159. In: Lupton, Deborah (ed.). Risk and Sociocultural Theory: New Directions and Perspectives. London and New York: Routledge, Cambridge: Cambridge University Press, 1999, p. 131.
  16. Isaacson, Walter. Einstein. His life and universe. New York: Simon & Schuster, 2007, 333 – 334.
  
  
  
  04/28/2023
  
  
  Brief explanation:
  The texts of my Studies have been translated into English by me. They have not been read and edited by a native English speaker, nor by a professional translator. Therefore, all errors and ambiguities caused by the quality of the translation are solely mine. But I have been guided by the thought that the purpose of these Studies is to give information about my contributions to the Science of Security by presenting them in a brief exposition, and not to demonstrate excellent English, which, unfortunately, I cannot boast of.

Reply

The content of this field is kept private and will not be shown publicly.
CAPTCHA
This question is for testing whether you are a human visitor and to prevent automated spam submissions.
         __   __               ____    ___  
__ _ \ \ / / _ __ ___ / ___| / _ \
/ _` | \ V / | '_ ` _ \ | | _ | (_) |
| (_| | | | | | | | | | | |_| | \__, |
\__, | |_| |_| |_| |_| \____| /_/
|_|
Enter the code depicted in ASCII art style.