Posts - Integrating the
Model in the Real

1/13/09: Audit & Risk - Seeing the Forest from the Trees

9/4/08: Security ROI

6/28/08: Boise: A
Terrorist Target?

5/10/01: FFIEC Business
Continuity Planning

4/3/08: SOX 404 Audits


Calculating Risk

As noted in the previous screen, risk consists of two components - the probability that a negative or harmful event will occur and the cost - the amount of loss or expense that will result from the event. On the surface the assessment of these two factors leads to a yes/no result, do I accept the risk or not? Do I keep driving in the fog or do I get off the road? In reality, the result is usually far more complex. As we saw in the previous screen, there were a multitude of options to be considered from fog lights to insurance. You could take advantage of every option available in a quest to reduce the probability of harm occurring to zero, but you will likely run up against two constraints: You can never eliminate risk completely and your resources are limited. You can pull off the road when there is fog, but now you have created the risk of being hit from behind by another car or you run the risk of being late to your appointment. You can purchase more insurance to eliminate the possibility of a monetary loss if you keep driving, but try pricing an insurance policy with no deductibles with coverage in the tens of millions of dollars. The cost of such protection is prohibitive. The reality is that you need to prioritize your risk options, in effect you need to quantify the risk as accurately as possible in order to make a reasonable choice.

The prioritization of risk is achieved through a series of questions:

  1. How important is the asset (i.e. how much does the car cost)?
  2. How vulnerable is the asset to a negative event (i.e. if I rear end the car in front of me, how well will the car survive the crash)?
  3. How likely is it that someone would try to exploit the vulnerabilities (i.e. how good are my driving skills in fog)?
  4. What controls do we have in place to protect the asset from these vulnerabilities (i.e. do I have fog lights)?
  5. If the controls do not provide sufficient protection, what additional controls can we employee to reduce the risk to an acceptable level (if I still can't see well enough with the fog lights on, what else can I do to avoid an accident)?

Historically, information security officers, disaster recovery coordinators and others who needed to make operational risk decisions in the workplace found the answers to these types of questions by referring to prior experience and subjective reasoning. If you worked long enough in information security, you would get a good "feel" for the risks and exposures and your experience would guide your decisions. But try telling the CEO that you want funding for an expensive project that will improve controls and the justification for the request is based on your "gut feeling" and prior experience. No wonder many senior executives view information security as over blown and inscrutable. Until information security can develop tools to objectively identify and measure risk, we will have little credibility with management in explaining the risk options.

The solution lies in adopting an approach similar to that used in the credit, market, and liquidity risk communities. Essentially, they define risk as: Risk = Criticality * Probability. This formula represents the product of the financial impact from an adverse event occurring (how critical is the product or, if it was lost, what would be its cost or impact to the business) and the probability or likelihood of the event occurring. As the chart demonstrates, the greater the criticality or the greater the probability of a loss, the greater the level of risk.