Tuesday, August 14, 2018
Mixed Method Risk Analysis
Many people assume that risk analysis is merely a specialization of cost/benefit analysis. That view lends itself to a quantitative approach. How much is the asset worth? What will the down-time cost us? How often will the risk event happen? Punch these values into an equation, and *poof* a magic number. While there is value for such numbers when determining budgets, they miss out on very important details. Would your brand suffer if an event (say, a data breach) occurred? What would it cost you to repair that brand damage? How long would that take? How tightly are sales coupled with public opinion? Failure to ask such questions may lead to a risk mitigation strategy that, while defensible, may not be adequate.
Risk analysis should begin with a survey of key stakeholders to determine the perceived risks and what the impacts of those risks are (some include this in risk assessment). Once a complete list is established, the list is then circulated again to determine the perceived likelihood of each, and the appetite for the expected impacts. The likelihood of certain risks, such as fire or theft, can be validated through enquiries made at local public records offices. The list of risks can then be sorted based on likelihood and appetite for potential impacts. Even if a risk is highly unlikely, it may be worth mitigation if the appetite for one or more of its impacts is null.
There are generally two approaches to budgeting for risk mitigation: Here’s your budget, do what you can; and Tell me what you need and we’ll discuss it. The first is somewhat easier as the initial boundaries are known. The later is more time consuming as it requires digging into the details for all identified risks and is often followed by “Oh, uhm, what can you do for ____ dollars?” In either case, it is the job (and responsibility) of the security professional to ensure that management knows which risks can be mitigated within the available budget, and which risks cannot be mitigated within the available budget. This is why Mixed Methods research is the correct approach to use in Risk Analysis.