Derek Brink, in a blog post on an RSA blog entitled *Watch Your Language: How Security Professionals Miscommunicate about Risk, *addresses the issue of risk thusly.

Shon Harris, author of the popular CISSP All-in-One Exam Guide, defines risk as “the likelihood of a threat agent exploiting a vulnerability, and the corresponding business impact.” Douglas Hubbard, author of The Failure of Risk Management: Why It’s Broken, and How to Fix It, defines risk as “the probability and magnitude of a loss, disaster, or other undesirable event.” (And in an even simpler version: “something bad could happen.”)

All well and good. But. The devil is in the details of “likelihood.:” One favorite measure of the metric minded among us is the Annual Loss Expectancy, which is the product of the SLE (Single Loss Expectancy) multiplied by the ARO (Annual Rate of Occurrence).

The problem in measuring risk thusly arises when the likelihood (ARO) is very very low and the consequences (SLE) is very very high. The old expressions “1 in a million” works out to an ARO of “.0000001” and and SLE of $1,000,000. Is the ALE then $1.00? No. The ALE is $1,000,000. If it happens, it happens. If it doesn’t, it doesn’t. The event won’t happen 0.25 times per year. Or 0.33 times a year.

This makes it damnable difficult for an organization to budget for security. If an organization is required to spend the amount that represents the impact multiplied by the probability of that loss, then do you spend $1.00? Or do you spend $1,000,000? The answer lies somewhere in between.

A Nobel prize to the individual who figures out this equation.

### Like this:

Like Loading...

You make a very good point.

If I were concerned with such a problem I might calculate the ARO & SLE as normal, but I might also make an assumption and put a lower bound on the ARO; 1.0 perhaps. The assumption in this case would be that in any given year that at least 1 event will occur. In this way I can even qualify my findings in reports as being legitimate provided that “we assume at least one event a year” may occur. While I think this is somewhat of an arbitrary assumption and not based on any particular evidence, I don’t think it would be a hard sell to many executives. It may however be further complicated by the amount of $$ that the resulting calculation turns out to suggest is required.

Quite the dilemma.

~ Patrick