The article points out that there are different ways of calculating the risk associated with flying.
You can calculate the risk of flying by:I can imagine similar variations in how an SP might determine the risk associated with accepting identity assertions from IDPs.
1. Dividing the number of people who die into the total number of people, which gives you the risk for the average person;
2. Dividing the number of victims into the number of total flights all passengers took, which gives the risk per flight;
3. Dividing the number of victims into the total number of miles all of them flew, which gives you the risk per mile.
For some SP's the analogous "risk fraction" might be dividing the number of dollars lost (as a result of damage to reputation from fraud, legal costs, etc) into the dollars gained (from increased user retention etc); for other SPs dividing the number of users lost through identity portability over the number of users kept/added might be a more useful metric. An SP that does lots of low value transactions would probably have a different view of risk than another that engages in fewer higher-value transactions.
I bet there is an MBA thesis in here.
The article points out that the majority of flying risk comes from take-offs and landing. For identity, it's authentication that skews the distribution.