Communicating about risk - part 1
In his comments a couple of weeks ago, Walter brought up an important point. Paraphrased, he pointed out that misrepresenting the precision of an analysis is a bad thing. He also pointed out that this isn’t so much a problem with the analysis model (although it’s more likely to occur with a quantitative model), but rather tends to be a problem with how an analyst communicates results to management.
With that in mind, I thought I’d write a couple of posts about communicating risk. In this week’s post, I’ll talk about “risk qualifiers” that can be critical in helping management understand the true nature of some risk scenarios.
“I can live with this…”
Let’s say that you’ve done an analysis and the results look something like what’s shown in the charts below (I’ve included both a qualitative and a quantitative version):
At first glance, a decision maker might think “This doesn’t look so bad. I can live with this level of risk.” But that’s not necessarily the whole story…
Unstable conditions
An unstable risk condition exists when the following characteristics co-exist:
- Threat event frequency is low
- Vulnerability is high
- Probable loss magnitude is significant
When these conditions exist, the low loss event frequency is driven solely by the low threat event frequency. In other words, we’re not actively managing loss event frequency; we’re just trusting to luck. If threat event frequency changes (or an event occurs at all), then significant impact will likely occur. An example might be an internal application that handles a significant volume of sensitive consumer records, but that has little or no authentication or authorization control in place.
Now, if all we provided management was a qualitative “Medium/Low” risk statement or a quantitative statement that “probable loss event frequency is roughly once every ten years with a probable loss magnitude of $500k”, then we haven’t really allowed management to make an informed decision.
This additional information about the unstable nature of the risk condition is critical for a couple of reasons: 1) it allows management to decide whether they want to gamble, and 2) instability can reflect poorly from a due diligence perspective.
Fragile conditions
A fragile condition exists when the following characteristics co-exist:
- Threat event frequency is high
- Vulnerability is low, but dependent on a single effective control
- Probable loss magnitude is significant
At a glance, this will look similar to an unstable condition. In this case however, a single control is all that prevents a high loss event frequency. An example might be a single layer Internet architecture, where the volume of threat events is high but the firewall is generally quite effective.
Differentiation
One big advantage these qualifiers provide is to be able to differentiate between risk conditions that, from a risk chart perspective, look the same. This differentiation allows us to prioritize better, which leads to more cost-effective risk management.
Another advantage is that it provides nomenclature for expressing what our intuition has probably already recognized. In other words, the experienced information security professional would intuitively recognize the difference between an unstable or fragile condition and one that isn’t (but that may look the same on a chart). In my experience, what we tend to do in those instances is label the condition “high risk”. The problem with this is that it lumps these scenarios in with those where loss event frequency and loss magnitude are high, which erodes management’s ability to prioritize effectively.
At the end of the day, effectively managing any complex set of issues requires an ability to differentiate. These qualifiers have proven to be extremely useful in that regard.
Ben May 5
Instead of representing it as a single point, I wonder if there would be a way to reference the point, but then show the deviation, such as via a slope (or curve?) that connects through the point with the + and - on the other ends? If there were such an approach, then that could help better communicate in picture form the risk and its variableness. What do you think? Feasible? Useful? No idea what I’m talking about?
JonesJ May 5
Hi Ben — Excellent observation. You’re right in that there are a number of ways we can illustrate a risk condition — the single point on an x-y chart being one of the simplest (and least descriptive; simplicity being both a blessing and a curse). I’ll cover some alternatives like you described in more depth in coming posts, but management loves “simple” so we have to try to strike the right balance between enough but not too much information for the decision makers. I guess my point was that these qualifiers can be used to help flesh-out an ultra simple risk statement, whether it be graphic or in verbiage.
Thanks,
Jack
Walter May 6
In some ways we’re between a rock and a hard place. If you stress probable loss magnitude, then you’re pushing FUD, if you push threat event frequency, then you are creating a false sense of security.
So, I think Ben is on the right track. We need to represent not the individual metrics but the aggregate of our data. I also think that you’re right: we need to follow the KISS methodology of representation. I look forward to your alternative models for representation.
Chris Hayes May 7
Great post! I would submit that within FAIR (and probably other risk methodologies) , the ability to embrace and leverage modifiers is a key differentiator between risk analysts that on the surface may appear to be equally skilled. Effective use of modifiers could negate the need for purposefully “inflating” the risk qualitatively. I have witnessed analysts inflating risk because they did not know how to communicate the unstable or fragile condition – which in return did not allow the business decision maker to make an informed risk decision and increased the operational costs of misapplying resources to:
a. Prioritize mitigation activity when not warranted
b. Increase the time needed to manage the identified risk.
This is no different then going to two separate financial advisers to seek advice on the same stock or fund. The adviser that is going to better qualify the pros and cons of that particular stock or fund and what the opportunity cost is to me as an investor; this is the better advice in my opinion.
Finally, there is one aspect of monetary impact that could also be lumped into the unstable category and that is the length of the “tail” beyond the mean or expected loss. A decision maker may be able to tolerate the risk associated with an UNSTABLE risk condition based off the value of the mean – but not want to take his chances on the 80th (1-in-5) or 95th (1-in-20) percentiles. Thus, an individual may want to prioritize mitigation effort in decreasing the tail.