Risk Models that hide important information

Some people seem to be making life difficult for themselves with risk models such as “Impact * Probability” and as such have lead themselves into all manner of imponderable … since this model hides essential details.

I discuss the CLASSICAL risk equation in my blog

There is a good reason for, no make that MANY good reasons, for separating out the threat and the vulnerability and asset rather that just using “impact”.

Any asset is going to be affected by many

  • threats
  • vulnerabilities
  • controls

Any control will almost certainly address many assets and in all likelihood deal with many threats and vulnerabilities.

Any reasonable approach will try to optimise this: make the controls more effective and efficient by having them cover as many assets, threats or vulnerabilities as possible.

As such, the CLASSICAL risk equation can then be viewed as addressing residual risk – the probability AFTER applying the controls.

So you can’t consider an asset in isolation and you can’t consider a control in isolation or only look at how it affects a single asset. Over optimising for one asset may actually INCREASE your overall risk.

The risk equation also address the probability that a a threat will exploit a vulnerability to cause harm to an asset.

It says nothing about the probability of the threat or the probability of the vulnerability. We can make a good case that the probability that the treat will occur is 1.0 and the probability that there is a vulnerability in the software or system based on experience is also close to 1.0. In a system without controls – e.g a PC ‘raw on the internet’, the risk is high. Time to exploit is measured in minutes.

See, for example, Ron Ferguson’ site http://www.aeroprepare.com/ where he discusses  “Consequence-Based Information Protection”. In some ways this is similar to “Impact”, but Ron’s focus is that the probability of an attack (the threat) 1.0, a certainty.

But the probability the threat can can exploit the vulnerability — which is what we are interested in — depends on your controls. And further, even if it can, the harm it can cause depends on your controls.

I keep saying controls – PLURAL. This is important. It gets back to the MATRIX approach I discuss in my blog.

It’s never ‘just one thing’. There will usually be a ripple effect if you make any changes, apply patches, let time pass so that new exploits can come to be.

I don’t mention in my blog, but yes, that matrix needs to be applied to each of C-I-A, and yes those may change independently.

But reducing the model to simply “impact * probability” hides the details you need to properly address your question.

About the author

Security Evangelist

Leave a Reply