Rhand Leal
September 29, 2020
Think of a circus juggler balancing dishes, bowls, and other flat objects on sticks. He needs to pay constant attention so as not to let them fall, rotating them at sufficient speed and at the right time.
This situation is similar to managing investments in security, where the juggler is the organization, the rotating objects are the risks, and the action of rotating them refers to the resources invested.
By understanding the rotating dishes situation, the equivalent of analyzing the risks, the juggler can decide on the order in which he needs to work on them, and the necessary speed to apply to each one of them, so none of them fall (i.e., the risks do not occur).
In this article, we will use the juggler analogy, and how he keeps the objects rotating, to explain how to prioritize risks through risk quantification.
This first analogy leads us to some of the benefits of security investment prioritization:
– more efficient allocation of people, processes, and budget: prioritization helps organizations to invest only the needed resources required to handle risks – no more, no less.
– increased focus around the risks that matter most: prioritization gives employees guidance on what the organization sees as important.
– increased success rate: with risks treated according to their criticality, the chance of their occurrence is lessened, as well as their chance of negatively impacting the organization’s objectives and expected outcomes.
First, it is important to note that risk value can be expressed in qualitative or quantitative form.
In the qualitative form, risks are valued based on the perceptions of those analyzing them, and perceptions can be biased, which makes it difficult to use them outside the context in which they were analyzed.
On the other hand, when we talk about risk quantification, we mean defining the value of risk based on verifiable data and calculations, and this is important because it allows verification, comparison, and reduction of the bias effect. That’s why quantitative risk is often used when defining security investment.
Returning to our analogy, balancing objects on sticks is basically the application of physics (the gyroscopic effect), which involves rotation speed and direction, regardless of the object used. By analyzing both speed and direction of objects, the juggler is able to balance any kind of object.
The ISO definition for risk according to the ISO Guide 73, which defines the vocabulary for risk management, is: “the effect of uncertainty on objectives.”
Considering that, the variables most used to quantify risks are likelihood and impact. Normally, quantified risk is expressed in monetary values, as it facilitates understanding of a specific risk by the whole organization, and because it makes the evaluation of the required security investment quicker.
To reach a monetary result, quantitative risk assessment often makes use of these concepts:
SLE (Single Loss Expectancy): money expected to be lost if the incident occurs one time.
ARO (Annual Rate of Occurrence): how many times in a one-year interval the incident is expected to occur.
ALE (Annual Loss Expectancy): money expected to be lost in one year considering SLE and ARO (ALE = SLE * ARO). For quantitative risk assessment, this is the risk value.
Below is an example of how risk values are calculated through quantitative risk assessment:
Database value: USD 2.5 million (SLE)
Manufacturer statistics inform that a database catastrophic failure (due to software or hardware) occurs one time every 10 years (ARO = 1/10 = 0.1).
ALE = 2.5 * 0.1 = USD 250K
In short, the organization has an annual risk of suffering a loss of USD 250K in the event of the loss of its database. So, any security investment that costs less than this value would be profitable.
When you perform this calculation for all the risks considered unacceptable by the organization, you will have a list containing the total expected security investment.
Although the use of quantified risks to prioritize security investment may seem quite straightforward, i.e., allocating resources to the higher risks, an organization also needs to take into account issues like:
– What is the sum of the values to be invested related to higher risks that have a higher probability of occurrence?
– What is the sum of the values to be invested related to lower risks that have a higher probability of occurrence?
– Is the return on security investment to be evaluated in the short, medium, or long term?
There is no correct answer for these questions because they will depend on the organization’s objectives and risk appetite. For example:
– If the security investment is to be evaluated in the short term, maybe there is no point in making big investments on higher risks with a low probability of occurring, and it is better to ensure that higher-probability risks are treated.
– If the security investment is to be evaluated in the long term, the sum of losses due to the occurrence of lower risks, even with implemented controls, may be acceptable, because preventing the higher risks will increase market confidence in the business, thereby increasing revenue.
Risk treatment is something organizations cannot postpone, because customers and society are becoming less and less accepting of those who do not treat risk properly.
On the other hand, the number of risks by far outweigh the available resources of any organization, so they need to search for ways to wisely invest their resources.
By understanding how risks affect the organization, and using proper data, quantifying risk can be of great use to drive security investments according to business objectives.
Here you can learn how to make your investment in ISO 27001 profitable. To calculate return on security investment, you can use our free ROSI calculator.