As we all know, there are two main components to risk: 1) the chance that something will happen, and 2) how bad it would be if it did–or, probability and impact. For the last 20 years we’ve been focused almost exclusively on probability, i.e. trying to make sure bad things don’t happen.
My latest post on the HP Application Security blog. I’d love to hear comments on it.