Jeff,
I stumbled on this posting in support of my argument that the formula that many depend on is complete nonsense! It amazes me how many rely/depend on this formula when they don’t realize the values they are putting in are just theories and opinions and two teams assessing the same environment can often come up with differing results and opinions.
very interesting discussion. My 2-cent corntibute is: in a number of standards the notion of risk is associated to a combination of impact and likelihood, may change some names but the concepts are these. This approach derives from the Safety community approach, the problem is that cybersecurity absolutely does not have the data available for Safety, therefore the estimation of Likelihood is over-subjective. Provocatively, cant’ we get rid of that dimension, and consider consequences only ?
Thanks
I want to divided the concept into two individual parts
Risks & Impact
and to define this things for action plan, it should be formulated with this formula
threats + vulnerabilities=Risk ≤ Impact
Risks- A source of danger; a possibility of incurring loss or misfortune
Threats- Something that is a source of danger
Vulnerabilities- The state of being vulnerable or exposed
Impact- A forceful consequence; a strong effect
suppose if we want to count or address/define a risk of an electric fire of an apartment or a property.
impact is what happen after the fire like (ex: what has burnt, how much damage the property or life etc.)
we want to think or measure the risk to take precaution or action
so to know this thing we need to know the vulnerabilities and threats. and this two things together tell you how much risk you are in. it can be more or equal.
like if you take a scale of 20 unites and you measure the risk.
if the apartment is fully fire equipped,
threats + vulnerabilities=Risk ≤ Impact
3+3=6 ≤20 or Risk is 6≤20
The primary problem with any risk formula is the identification and quantification of likelihood. You have to have direct access to the potential adversary, and some relatively controversial psychoanalysis models to begin that determination.
For instance, in the Philippines the government requires that all applicants for gun permits take a series of psychological tests, primarily the House-Tree-Person test. They use the analysis of the results as a dominant factor of whether to issue a gun permit. They are essentially quantifying the threat.
Similarly, criminal justice is starting to use a psychological model to assess the probability of recidivism and set harsher sentences for those determined as least likely to be quality citizens.
If you accept the science, then this is a great way to determine and mitigate insider risks. It doesn’t have any validity for an actor or adversary that does not submit to the tests. This is where the R=TxVxI model is still valuable in communicating relative risks of different factors.
Presenting or outlining a problem without a solution is workplace no-no 101. I don’t see you providing a solution except possibly complaining about a flawed mathematical equation. I agree with Henry, it allows to measure risk in some quantifiable way for the real world problem.
High horse math essays that pontificate has zero value for boots on the ground.
I like the formula because I’m not trying to build a safe 100 storey skyscraper. I’m trying to quantify something for execs that would otherwise can’t be and saying we can’t quantify the risk would get you thrown out of a board room for yapping gibberish. Solutions are better than complaining.
hi,
I am a Master of Disaster Recovery Planز
How can I measure the risks in cloud computing?
pls. give me answer at:
Here, here, Jeff!
We fully agree and this is another case-in-point for our need that many, if not most, risk assessment methods need to be tossed and / or fully re-engineered.
Best Rehards to you and thanks, everyone, for adding your own thoughts, too!
Phil
Henry has it right: It’s a mathematical model for determining risk in indeterminate environments: IE it’s an approach you use if you don’t have concrete data. Lacking # of incidents or financial impact of incidents, for instance, a risk equation requiring this data, such as an ALE model, breaks down. An ALE model is also single scale dependent for the consequence, in this case financial impact. Again, the model breaks down if you’re interesting in modeling something more abstract, like impact to public profile from an adverse incident.
All models are limited, and only as good as the input values and scales applied. R=CVT is a modeling approach to provide flexibility in modeling risk, nothing more. Another way to think of it: If C, consequence, is captured in terms of financial impact, V, vulnerability is captured as the likelihood of an incident succeeding and T threat is captured as a function of frequency of the incidents, you’ve basically devolved the equation into ALE. This is exactly what most organizations using the “Risk equation” do once they have the data they need. Performing an assessment with qualitative data as due diligence at the start of an assessment program is better than just jumping in blindly without a concept of where your areas of concern are. It can be illuminating.
As to the “single security threat”, that’s what pairing matrices are for. A single threat can exploit multiple vulnerabilities. A single control implementation can reduce multiple vulnerabilities. Pairing effectiveness factors can be used to reflect subjective impacts (IE a parasol will work to reduce a vulnerability to getting wet, but an umbrella will be far more effective).
[sigh…] It’s just a teaching model, useful for showing the relationships between the risk elements. Other methods of qualitative analysis are used when actually conducting an assessment, but this simple formula is a great introduction to the elements of risk.
hi there,
how about this:
CR = i x (v+c)L/t
i = impact
v+c = vulnerability + control effectiveness
L = likelihood
t = time
CR = cyber risk
Jeff,
I stumbled on this posting in support of my argument that the formula that many depend on is complete nonsense! It amazes me how many rely/depend on this formula when they don’t realize the values they are putting in are just theories and opinions and two teams assessing the same environment can often come up with differing results and opinions.
very interesting discussion. My 2-cent corntibute is: in a number of standards the notion of risk is associated to a combination of impact and likelihood, may change some names but the concepts are these. This approach derives from the Safety community approach, the problem is that cybersecurity absolutely does not have the data available for Safety, therefore the estimation of Likelihood is over-subjective. Provocatively, cant’ we get rid of that dimension, and consider consequences only ?
Thanks
I want to divided the concept into two individual parts
Risks & Impact
and to define this things for action plan, it should be formulated with this formula
threats + vulnerabilities=Risk ≤ Impact
Risks- A source of danger; a possibility of incurring loss or misfortune
Threats- Something that is a source of danger
Vulnerabilities- The state of being vulnerable or exposed
Impact- A forceful consequence; a strong effect
suppose if we want to count or address/define a risk of an electric fire of an apartment or a property.
impact is what happen after the fire like (ex: what has burnt, how much damage the property or life etc.)
we want to think or measure the risk to take precaution or action
so to know this thing we need to know the vulnerabilities and threats. and this two things together tell you how much risk you are in. it can be more or equal.
like if you take a scale of 20 unites and you measure the risk.
if the apartment is fully fire equipped,
threats + vulnerabilities=Risk ≤ Impact
3+3=6 ≤20 or Risk is 6≤20
The primary problem with any risk formula is the identification and quantification of likelihood. You have to have direct access to the potential adversary, and some relatively controversial psychoanalysis models to begin that determination.
For instance, in the Philippines the government requires that all applicants for gun permits take a series of psychological tests, primarily the House-Tree-Person test. They use the analysis of the results as a dominant factor of whether to issue a gun permit. They are essentially quantifying the threat.
Similarly, criminal justice is starting to use a psychological model to assess the probability of recidivism and set harsher sentences for those determined as least likely to be quality citizens.
If you accept the science, then this is a great way to determine and mitigate insider risks. It doesn’t have any validity for an actor or adversary that does not submit to the tests. This is where the R=TxVxI model is still valuable in communicating relative risks of different factors.
Presenting or outlining a problem without a solution is workplace no-no 101. I don’t see you providing a solution except possibly complaining about a flawed mathematical equation. I agree with Henry, it allows to measure risk in some quantifiable way for the real world problem.
High horse math essays that pontificate has zero value for boots on the ground.
I like the formula because I’m not trying to build a safe 100 storey skyscraper. I’m trying to quantify something for execs that would otherwise can’t be and saying we can’t quantify the risk would get you thrown out of a board room for yapping gibberish. Solutions are better than complaining.
hi,
I am a Master of Disaster Recovery Planز
How can I measure the risks in cloud computing?
pls. give me answer at: