Mixed Method Risk Analysis

Some people approach risk analysis from either qualitative or quantitative methodologies. However, both are needed for truly enlightened decision making. The term “Mixed Methods” is taken from social science research, and is particularly appropriate here. It is not enough to base risk analysis solely on the numbers, and it is not enough to merely gather opinions. Both need to be considered along with a reasonable assessment of the probabilities and an appreciation for the risk appetite. Not only for the risk event, but the follow-on events. The last point requires that we consider what the implications of the risk event are. This takes into account things like public opinion, staff morale, and market volatility.

Many people assume that risk analysis is merely a specialization of cost/benefit analysis. That view lends itself to a quantitative approach. How much is the asset worth? What will the down-time cost us? How often will the risk event happen? Punch these values into an equation, and *poof* a magic number. While there is value for such numbers when determining budgets, they miss out on very important details. Would your brand suffer if an event (say, a data breach) occurred? What would it cost you to repair that brand damage? How long would that take? How tightly are sales coupled with public opinion? Failure to ask such questions may lead to a risk mitigation strategy that, while defensible, may not be adequate.

Risk analysis should begin with a survey of key stakeholders to determine the perceived risks and what the impacts of those risks are (some include this in risk assessment).  Once a complete list is established, the list is then circulated again to determine the perceived likelihood of each, and the appetite for the expected impacts. The likelihood of certain risks, such as fire or theft, can be validated through enquiries made at local public records offices. The list of risks can then be sorted based on likelihood and appetite for potential impacts. Even if a risk is highly unlikely, it may be worth mitigation if the appetite for one or more of its impacts is null.

There are generally two approaches to budgeting for risk mitigation: Here’s your budget, do what you can; and Tell me what you need and we’ll discuss it. The first is somewhat easier as the initial boundaries are known. The later is more time consuming as it requires digging into the details for all identified risks and is often followed by “Oh, uhm, what can you do for ____ dollars?” In either case, it is the job (and responsibility) of the security professional to ensure that management knows which risks can be mitigated within the available budget, and which risks cannot be mitigated within the available budget. This is why Mixed Methods research is the correct approach to use in Risk Analysis.