Welcome to another edition of 2xTuesday, our series that brings you one 2x2 every week.
Today's 2x2 is a pretty simple one that you're probably reasonably familiar with. It's a way to think about risk, with the X-axis focused on the impact of a risk (how bad it could be) and the Y-axis focused on the likelihood. This is obviously useful in software development when thinking about issues of security, but also has pretty far-reaching value as a tool to use in your everyday life. The question to ask yourself is how likely and how impactful could any specific risk be?
Obviously the place to start is the top-right High Risk box. This represents the most immediately likely and highest impact risks. Mitigate these away first. From there, it's generally accepted that you should look at the top-left Medium Risk box, as these are likely to occur, albeit with a small er impact. The most interesting box is probably the bottom-right Tail Risk. This represents high impact, but low likelihood events. This is the kind of stuff Nassim Taleb discusses in Black Swan. The problem, which harkens back to the Known/Unknown 2x2, is that most tail risk represents an unknown/unknown: some kind of attack or event that we haven't seen before. Therefore, thinking about how to avoid those risks will generally involve much more systemic approaches than what is available for dealing with higher-likelihood events.
Mostly, though, the 2x2 provides a good simple way to prioritize.