Communicating about risk - part 2

Filed by JonesJ | 9 comments


  • The trouble with likelihood

    It’s common to see charts similar to the one below used to communicate risk.  On one axis we have Impact, and on the other we have Likelihood.  We’ll save a discussion regarding Impact for another post, but in this post I’d like to point out a couple of subtle but important limitations with the term “likelihood”.

    Likelihood connotes the probability of an event occurring.  In fact, you may see explicit probability ranges assigned to each qualitative label (e.g., “Very High = 90% to 100% probable”).   And, while this seems to be on the right track, there are two problems with it:

    • It often doesn’t include a timeframe reference.  In other words, does the likelihood statement refer to the probability of the event occurring this week, this year, in this lifetime?
    • It doesn’t provide the means to differentiate between something that may happen once vs. something that may happen multiple times.  For example, a statement; “The likelihood of a virus infection is Very High” doesn’t differentiate whether the event is likely to happen once or many times.

    These two limitations become critical when we’re trying to quantify and/or compare risk issues.

    Using frequency, we can account for events that occur many times within the defined timeframe as well as those that occur fewer than once in the timeframe (e.g., .01 times per year, or once in one hundred years).  Of course, this raises the question of how we determine frequency, particularly for infrequent events.  In the interest of keeping this post to a reasonable length, I’ll cover that another time (soon).

    Drawing lines

    You may have seen charts like the ones below, with lines drawn to differentiate High from Medium, etc.

    (NOTE:  Magnitude scales will vary based on the risk capacity/tolerance of the organization)

    These can be useful, but a few challenges I’ve encountered with this approach include:

    • If the risk point falls barely on one side of the line or the other, do the lines really serve a useful purpose, at least from the perspective of being able to assign a qualitative value?
    • Who drew the lines?  At one place I’ve worked, I couldn’t get management to provide guidance on where to draw the lines so I took a stab at drawing them based on what I thought management’s risk tolerance was given their earlier decisions.  This seemed to work okay, as I didn’t experience much push-back from management, but you need to constantly look for evidence that the lines need to be changed.
    • Particularly in larger companies with multiple affiliates or subsidiaries, line placement will vary because each part of the enterprise will have its own risk tolerance.  A “critical” loss at the subsidiary level might not equate to a rounding error at the enterprise level.  I’ve dealt with this by plotting results on two charts; one scaled to the enterprise risk tolerance, and another drawn to the subsidiary’s tolerance.

    Of course, the fact that the point isn’t really a point at all, but the intersection of two ranges or distributions further affects the utility of lines.

    I’ve found two ways of charting risk that seem to be well received by management (below).

    (NOTE: These charts were created using Monte Carlo analyses within FAIR-based applications)

    My preference is the scatter plot, which does a nice job of visualizing the uncertainty that is a part of any risk analysis.  A couple of things to note:

    • No lines have been drawn to label the result “High”, “Medium”, etc.
    • I haven’t used a green-to-red background on the charts.

    I will use those illustrative tools if requested by management, but I tend not to use them otherwise.  Besides the challenges I noted above regarding lines, my rationale is that lines and colors tend to bias interpretation of the results.  In other words, if someone sees a risk point plotted in a red background or in the “High” section of the chart, they equate those results as “unacceptable”.  The fact is, the acceptability of a risk condition is often dependent on the value proposition of the situation, the cost to mitigate risk, etc.  I’ve found management is intelligent enough to know that the upper-right part of the chart means more risk than the lower-left.

    Posted on May 20

    • 9 comments

    1. rybolov May 20

      Hiyas!

      This is good, but in order for me to use this, what I need is an overlay with all of my risks at the same time so that I can prioritize where my money goes–I only have so much, you know… =)

      But you guys knew all that, I’m just providing the segway for you.

    2. Walter May 21

      Rybolov,

      You may wish to hold off on going for that money until you cover the topic that was saved for another post.

      Impact.

      If Impact is high, even if likely hood is low, that might be a higher priority for those rare coins you’re needing to spend.

      Remember that you want to mitigate risk on the basis of likely hood, impact, frequency (which is not the same as likely hood though there is a correlation), and tolerance.

    3. JonesJ May 21

      @Rybolov - Thanks for setting me up so nicely ;-). You’re right, of course. In order to prioritize we have to be able to identify which issues are driving the most risk into our overall risk landscape. Unfortunately, a real discussion of how to do this will have to wait. Briefly, you have to identify the relevant threat communities and the relevant assets. Then you have to map threat event frequency from each threat community against the assets, define expected threat capabilities and control strengths, as well as the expected impact magnitudes (as Walter said). Non-trivial, to say the least, but doable.

    4. bob May 26

      hi, very interesting. Can you provide more details on how this chart was made? How did you get the scatter? Were you manually providing estimates?

    5. Alex May 26

      Hi Bob,

      Jack may be out of band for a bit, so I’ll take a stab at answering for you. I’m not sure if Jack was showing an actual analysis or if this was just developed for demonstration purposes, but I can share with you how we’ve worked in the past.

      We use FAIR as a model with subject matter estimates/measurements, based on past experience/data. We try to help “calibrate” the measurement with techniques from Hubbard. These estimates are used to create various distributions, and Monte Carlo simulations are used to create the scatter plot or “min/average/max” graphs.

      You can check out the FAIR wiki and Basic Risk Assessment Guide at the links on the side of this page. Reading through these along with what I’ve described above should give you an idea as to how we use the model.

    6. bob May 26

      Thanks for the info, I’ll take a look.

    7. Jan May 31

      Thanks for an informative post. Albeit I am in favour of using quantitative risk analysis for decision support, the pitfall is where to draw the line between acceptable and not acceptable risk. To me, any decision about risk should be a “political” decision, that is viewed from the point of which outcome am I willing to face or not, regardless of the numbers and regardless of whether it falls above or below the loss threshold.

    8. JonesJ Jun 6

      @Jan — You’re absolutely right. Ultimately, the decision boils down to a subjective and oftentimes political decision. Quantification is simply intended to support a more well-informed decision.

      Thanks,
      Jack

    1. Interesting Information Security Bits for June 6th, 2008 « Infosec Ramblings

    Leave a reply