The validity of security risk assessment

Over the last few years there has been an increasing interest in the application of "risk assessment" to security systems. Many papers have appeared in the literature describing "risk assessment" methods or the results of studies where "risk assessment" principles were applied to a particular security system. Some of those papers define the meaning of risk using a formula relating the consequences of undesirable events and their likelihoods. The formula is then hardly ever used to calculate risk, and the papers rarely describe how its components can be calculated. As a result, there is much confusion about what is involved in security "risk assessment", and what it can deliver. The paper discusses the implications of the above problem, and provides a fundamental appraisal of the use of risk assessment methods in security. It aims to clarify the current misunderstandings associated with it, and provides guidance on its potential for future applications