(Joseph E. Henderson, CSP, is IT Specialist at the Office of Information Technology for the Department of Veterans Affairs.)
Everyone uses risk management daily. The measurement and use may be very obvious, such as the threat posed by a speeding train. However, the hazard posed outside the train is naturally more profound. Those individuals inside the train have some vulnerability, but it is mitigated to an extent by the professional operators and mechanisms used to control the train. So your risk is less inside the train, than outside the train. This is an example of mitigating risk by professional regulation of systems or environment.
How do we measure the actual probability of exposure to real world liabilities and threats, as balanced against presumed or assumed liabilities? Flying is actually a very low-risk scenario when logically examined. Some would say driving is a much more dangerous means of travel. So, assumed or presumed, threats are not always valid concerns.
Can we balance the actual risk of exposure? The equation would be forced into the highly probable range in some cases. Some IT systems could have daily releases intended for defense of systems and data.
On the other hand, examination of other platforms or software could show it is much less likely to fall victim, and the equation is weighted in the opposite direction. Balanced against actual probability, the risk may not exist to be mitigated. Overkill or misdirection of resources could result from over examination of security exposure, where no or little exposure exists.
Below is the AMIS (Accurately Measure Information Security) Algorithm:
In example: (X+Y) x Z=R
X = Risk of attack, which is developed from actual attack figures supplied by industry.
Ranked 1 through 10 where 10 would be equal to very likely to be attacked or actual attacks take
place daily. A zero would indicate no attacks have ever taken place.
+
Y = Number of evasive maneuvers required to divert attack (i.e., firewalls and anti-malware).
Ranked 1 through 10 where 10 is a heavy concentration of necessary defense measures. A zero would indicate none are required.
x (multiply)
Z = Value of data to be protected. Is there personal or valuable information to be secured? We may say
a value of 5 if populated with personal or valuable information. On the other end of the spectrum, a
value of zero would be given in the absence of personal or valuable information.
=
R = Result or risk, given that a maximum number of 100 is high risk and zero would be no risk at
all.
Example 1. Undefended personal computer risk exposure (10+10)x5 = 100
X = 10 (multiple daily attacks are likely)
Y = 10 (undefended systems are probed and attacked within seconds of internet connection)
Z = 5 (personal information stored on the device)
R = 100 “High Risk”
Example 2. Undefended LAN switch risk exposure (1+2)x0 = 3
X = 1 (no exposure to little exposure to attack)
Y = 2 (little, if any, ability to attack a LAN switch device except perhaps to corrupt a configuration)
Z = 0 (no capability to capture or store personal/valuable information)
R = 3 (extremely low risk)
A higher number reflects more security is required.
• 100 <- The risk is high so extra measures are warranted.
• 90
• 80
• 70
• 60
• 50
• 40
• 30
• 20
• 10 <- The risk is slight so we may refocus our efforts to other, more vulnerable areas.
An attempt to protect everything, even that which requires little or no protection, is not cost effective.
Data center security of the core operating systems could be increased by several orders of magnitude, making them individually and collectively equal to a virtual data Fort Knox. This would be possible by enabling the entire security suite available under most C2, or higher, certified operating systems. We could have a net deficit risk, where intrusion could be extremely unlikely.
AMIS says measure the risk and meter the effort.
So 3 x 0 = 3?!!!!!!
Quite right,
The measure would be a mathematic ‘0’, as would the risk. An attempt to defend something which has little or no value would be a waste of resources. That is why value is more important than previous attacks or array of defenses.
Thanks for reading the article,
Joe
Refreshing!!!
“An attempt to protect everything, even that which requires little or no protection, is not cost effective.” – Joe Henderson
Thanks Joe for adding another creditable source to this philosopher’s knowledge-base.
Joe,
Great article. How would you alter this if considering risk for something such as an adventurous activity?
Best regards
Mark
Hi Mark,
Excellent question, pertaining to adaptation of the same reference points to other activities. The basic components are;
1. Has it ever happened before?
2. Have you or anyone else anticipated the event/occurrence and attempted to intervene by physical, environmental, or technical means.
3. Value – This is the pivotal component.
Let’s look at the prudent Mountain climber. They attempt to mitigate the innate hazard of the climb, by means of safety mechanisms which have proven to be effective. Ropes, pitons, shoes and correct clothing all feed the same rule.
X=10 (Extreme hazard, Many have failed, but many have succeeded)
Y=10 (Safety equipment is required, as has been proven, and is available to be assessed prior to exposure to the hazard)(Different climbs require different gear)
Z=5 (Highest possible value as a life may be at risk)
(10+10)x5=100 (Maximum risk potential)
The same rule applied to a walk in a local park would show much less hazard.
X=1(Little if any hazard, if research shows no meaningful harm has ever occurred in the park)
Y=1(No special equipment may be warranted, beyond that which protects you from the elements)
Z=1(The value of a walk in the park, in psychological or physical benefits may indicate you gain more than you risk)
(1+1)x1=2 (Extreme low risk)
Obviously these are diametrically opposed scenarios, used as an example. It does however indicate the obvious value of research to develop a strategy of approach to any event or circumstance.
Thanks for the question,
Joe