What do you think this is?

Just thoughts of a restless mind...

Risk understanding and coronavirus

Due to the Coronavirus outbreak there are lots of voices saying that we shouldn't care so much - especially if we haven't vaccinated for the flu which shows a lack of diligence on our side.

That could not be more wrong! People who say that understand ZERO about risk management, and since my social bubble is mostly security and risk management people, I find that very alarming.

Let me explain:

Risk management fundamentals

There are two aspects one needs to understand about risk management: Probability and Impact. Probability refers to how likely it is that the impact will be materialized. Impact refers to the consequences expected. There are many risk calculation algorithms, the easiest and prevalent is a multiplication: Probability x Impact.

There are also two events that need to be evaluated: The infection and the mortality.

Infection rate of coronavirus and flu

According to WHO, the transmission mechanisms of both coronavirus and flu are similar. But unlike flu, where one hundred patients are expected to infect 13 other people, one hundred coronavirus carriers will infect 22 other people. In risk management terms, it is significantly more probable to be infected with coronavirus.

Lethality of coronavirus and flu

Not only it's more probable to get coronavirus, but also it's more probable to die. Coronavirus infection results to death in 2.3% of the cases. Common flu results to death in less than 0.1% of the cases.

Simple maths

We get now to the probability x impact calculation: We will multiply the probability of the two events: get infected (event 1) and dying due to the virus (event 2). For simplification, as impact we will use the value 1. Either you die (==1) or you don't (==0).

For Coronavirus, the risk is 2.2% x 2.3% x 1 == 5.06 For Seasonal flu, the risk is 1.3% x 0.1% x 1 == 0.13

If I was interviewing candidates at this time, I would definitely ask someone to explain that to me, and I would certainly turn down a candidate that cannot apply a risk management approach in such an important issue.

If you're hiring security or risk professionals now, I suggest you do the same.