In his comments a couple of weeks ago, Walter brought up an important point.  Paraphrased, he pointed out that misrepresenting the precision of an analysis is a bad thing.  He also pointed out that this isn’t so much a problem with the analysis model (although it’s more likely to occur with a quantitative model), but rather tends to be a problem with how an analyst communicates results to management.

With that in mind, I thought I’d write a couple of posts about communicating risk.  In this week’s post, I’ll talk about “risk qualifiers” that can be critical in helping management understand the true nature of some risk scenarios.

“I can live with this…”

Let’s say that you’ve done an analysis and the results look something like what’s shown in the charts below (I’ve included both a qualitative and a quantitative version):

At first glance, a decision maker might think “This doesn’t look so bad.  I can live with this level of risk.”  But that’s not necessarily the whole story…

Unstable conditions

An unstable risk condition exists when the following characteristics co-exist:

• Threat event frequency is low
• Vulnerability is high
• Probable loss magnitude is significant

When these conditions exist, the low loss event frequency is driven solely by the low threat event frequency.  In other words, we’re not actively managing loss event frequency; we’re just trusting to luck.  If threat event frequency changes (or an event occurs at all), then significant impact will likely occur.  An example might be an internal application that handles a significant volume of sensitive consumer records, but that has little or no authentication or authorization control in place.

Now, if all we provided management was a qualitative “Medium/Low” risk statement or a quantitative statement that “probable loss event frequency is roughly once every ten years with a probable loss magnitude of $500k”, then we haven’t really allowed management to make an informed decision.  

This additional information about the unstable nature of the risk condition is critical for a couple of reasons:  1) it allows management to decide whether they want to gamble, and 2) instability can reflect poorly from a due diligence perspective.  

Fragile conditions

A fragile condition exists when the following characteristics co-exist:

• Threat event frequency is high
• Vulnerability is low, but dependent on a single effective control
• Probable loss magnitude is significant

At a glance, this will look similar to an unstable condition.  In this case however, a single control is all that prevents a high loss event frequency.  An example might be a single layer Internet architecture, where the volume of threat events is high but the firewall is generally quite effective.   

Differentiation

One big advantage these qualifiers provide is to be able to differentiate between risk conditions that, from a risk chart perspective, look the same.  This differentiation allows us to prioritize better, which leads to more cost-effective risk management.  

Another advantage is that it provides nomenclature for expressing what our intuition has probably already recognized.  In other words, the experienced information security professional would intuitively recognize the difference between an unstable or fragile condition and one that isn’t (but that may look the same on a chart).  In my experience, what we tend to do in those instances is label the condition “high risk”.  The problem with this is that it  lumps these scenarios in with those where loss event frequency and loss magnitude are high, which erodes management’s ability to prioritize effectively.

At the end of the day, effectively managing any complex set of issues requires an ability to differentiate.  These qualifiers have proven to be extremely useful in that regard.