Are we too simplistic in how we think about risk?

Yesterday I had a fascinating meeting where we discussed a number of theoretical concepts, including how we think about risk. Risk, of course, should be the driver in everything we do in information security, and risk management should be the discipline that guides us.

The problem with risk is that it is a very nebulous concept. Humans, and those of the management persuasion in particular, need more detail to make decisions. Consequently, we have methods for quantifying risk, such as the annualized loss expectancy (ALE) formula:

ALE=SLE*ARO

where SLE is the Single Loss Expectancy, or the cost of a single loss event, and ARO is the annualized rate of occurence, or the probability of a loss event in a year. Toghether, the ALE gives us a dollar cost per year of some risk.

The problem with thinking about risk solely in terms of the ALE is that it is far too simplistic. In another article I am working on developing the concept that if we implement any type of mitigation, it will modify the item we are securing. In other words, we need to also consider the impact of the mitigation of a risk item.

There are two ways mitigation measures impact us. The first is the cost to implement the mitigation itself. Ideally that cost should be certain, so let us call the cost Cm.

The second way the mitigation impacts us is in its side-effects. For example, if you require anti-virus software on all computers those computers may slow down, impacting productivity. There is only a chance that this will happen, so we also need a probability factor involved. Let us call the side-effect Sm and the probability Ps.

Putting all that together, we get a risk equation that looks like this:

Risk = SLE*ARO - [Cm + Sm*Ps]

This takes into account the cost of actually doing something about the risk. It says nothing, of course, about how we develop the measurements, nor about what is acceptable and what is not. Those items, as they say, are topics for further research.