Look through the risk management window to add up security costs

Sep 1, 1997 12:00 PM, ROBERT V. JACOBSON

The Funk and Wagnalls dictionary defines risk as "a chance of encountering harm or loss" and defines chance as "an unknown agency, assumed to account for unusual or unexplained events." In other words, risk management has to do with harm or loss caused by unusual events.

At a more practical level, it is helpful to think of risk losses as those that are not considered a part of normal operations. This article describes a simple model of risk that illuminates the range of risks to which business and government operations are exposed. The model also uncovers two different techniques for identifying appropriate protective measures.

Jacobson's Window

Some time ago, I devised a simple model for illuminating the essential character of high-tech system risks. William H. Murray, executive consultant for Information Systems Security, referred to the model as "Jacobson's Window." Figure 1 shows why. The model assumes that a risk can be characterized by its frequency (or probability, but I prefer not to use the term, because it suggests that a risk event may never occur) of occurrence, and the consequences of each occurrence. The model makes the simplifying assumption that all risks have either a low or high frequency of occurrence, and a low or high consequence. Figure 1 represents these assumptions as a two-by-two matrix of four possible classes of risks, giving rise to Murray's use of the term "Jacobson's Window."

The two inconsequential risk classes

As noted above, the two-by-two matrix model implies that there are four classes of risk that we can refer to as low-low, high-low, low-high, and high-high. Figure 2 suggests that two of the classes can be ignored. The low-low class can be ignored because it does not matter. It is obvious that a risk that occurs at 10,000-year intervals and that causes a one-dollar loss can be ignored safely. Experience suggests that the high-high class can be assumed not to exist in the real world. For example, if 50-ton meteorites crashed through the roofs of computer rooms every day (an extreme example), we would not attempt to use computers. Information about meteorites in a recent New York Times story leads to the rough occurrence rate estimate of being demolished by a meteorite at 4 X 1010 years. Broadly speaking, we recognize that high-probability, high-loss risks just do not exist.

The two significant risk classes

This analysis suggests that there are only two significant risk classes: high-low and low-high. Shoplifting is a good example of a high-low risk: a high probability of occurring and a low resulting loss. A major fire that destroys a building housing a telephone switching system (the Hinsdale, Ill., fire for example) is a case of a low-high risk-a low probability and a high consequential loss. However, we know that real-world risks do not fall into these two classes; instead, there is a spectrum of risks from high-low to low-high.

Figure 3 uses several common risks to illustrate how real-world risks are spread along a spectrum from high-low (retail theft) to low-high (major fires). Conceptually, there is no difference between the high-low and low-high threats; both cause losses. Experience suggests that over the long term the high-low and low-high threats tend to cause losses of similar magnitude to an organization. This concept is quantified by the notion of annualized loss expectancy or ALE. The ALE of a risk is simply the product of its rate of occurrence, expressed as occurrences per year, and the loss resulting from a single occurrence.

Here is a simple example of ALE: A retail shop experiences losses from shoplifting. Assume that the occurrence rate is 104 per year (two per week), and that the average loss is $150. Simple arithmetic tells us that losses are occurring at an annual rate (ALE) of $15,600.

Next, let us assume that the probability of a major fire next year is 1/10,000 (the occurrence rate of major fires is 0.0001), and that the loss resulting from a major fire would be $150 million. These assumptions lead to an estimate of $15,000 for the ALE of major fires. Thus, the two risks from opposite ends of the risk spectrum have ALEs of about the same magnitude.

Difficulties estimating ALE

The discussion above shows that ALE is a useful concept for comparing risks, but we recognize intuitively that ALE is not an entirely satisfactory basis for making risk management decisions about the low-probability, high-consequence risks. There are two reasons for this dissatisfaction. The first reason is the difficulty of generating a credible estimate of rate of occurrence for low-occurrence-rate risks. As a rule, one can generate credible estimates of the consequences of a low-occurrence-rate risk, but the same is not true of occurrence rate estimates. Risks that flow from human actions such as fraud and sabotage are particularly difficult to quantify. The second reason stems from what appears to be a common human trait that I have postulated as Jacobson's 30 Year Law: "People tend to dismiss risks that they have not experienced themselves within the last 30 years."

Why 30 years? It is not clear, but it may be related genetically to human life expectancy, which until just a few generations ago was about 30 years. Possibly, people who were able to suppress anxiety about rare events were more successful than those who worried too much.

Suffice it to say, one can find numerous instances of Jacobson's 30 Year Law at work. For example, the U.S. government has had a major fire at about 28-year intervals since 1790, most recently at the Military Records Center. Presumably, each new generation of Federal property managers must relearn the lessons of fire safety by direct experience. Similarly, we have all heard senior managers, particularly public officials, respond to a calamity as follows: "Who could have imagined that such a thing could have happened? However, we have taken steps to see that it never happens again."

What a security director tries to do

The major objective of a security director is to try to imagine every possible risk the organization faces, even those not personally experienced, and to develop estimates of the impact of the risks. Next, the security director strives to identify the optimum response to each risk. One way to do this is to identify security that has a positive return on investment (ROI). Consider, for example, the risk of retail theft noted in the earlier example. The ALE was estimated as $15,600 per year. The estimate is credible because there is ample past experience with both the occurrence rate and impact cost of the risk.

The security director considers how to treat this risk. For example, assume that spending $100 each year on training for 50 retail clerks is expected to reduce theft losses by 30 percent. Since the reduction in ALE, $4,680, is less than the cost of the training, $5,000, the ROI would be negative and the training would not be a worthwhile security measure. However, if theft losses were reduced by 90 percent, $14,040, instead of 30 percent, the ROI would be 280 percent and the training would be a good investment.

Why ROI-based risk management often fails

Some security directors try to implement ROI-based security programs, but usually with limited success. The technique works well with high-probability, low-consequence events for two reasons. It is easy to generate credible estimates of ALE. The manager who approves the expenditure believes that the risk exists and should be addressed. The technique does not work for the low-probability, high-consequence risks since both factors-credible estimates and management concern-are missing.

Note that end-users of high-technology systems commonly have a higher level of concern about risks than the system managers, but it is the system managers who make the decisions about security measures. Stated briefly, a system manager has no difficulty choosing between buying a faster computer or a safer computer. Thus, while a security director may have identified a significant low-high risk before it occurred, an organization's senior managers probably are unaware of these low-high risks and are genuinely surprised when major losses occur. Hence the "who could have imagined" press releases.

Four reasons for adopting a security measure

We have seen that ROI-based security measures can be identified and implemented for high-low risks but not for low-high risks. This suggests that one should use a variety of risk management techniques to manage the spectrum of risks. There are four tests of the utility of a security measure:

* The security measure is required by law or regulation. In effect, the governing body has determined (one hopes) that the security measure makes good public policy, because it will always meet one of the remaining three tests.

* The cost of the security measure is trivial, but its benefit is material. For example, if a door is repeatedly left unlocked, institute a procedure to keep the door locked.

* The cost of the security measure will be more than offset by the reduction in future losses (ALE) that it will yield. In other words, the security measure has a positive ROI. This reason is commonly used to justify protection against the high-low risks. Retail clerk anti-shoplifting training is an example.

* The security measure addresses a low-high risk that has an intolerable single occurrence loss (SOL). For example, it would be intolerable for a corporation to experience an SOL that exceeded owner equity or net worth. The recent failure of a prominent merchant bank is a tragic example of an organization that failed to address its exposure to an intolerable SOL.

Treatment of the low-high risks requires the participation of senior management, because judgment, rather than an ROI analysis, is required to decide how safe is safe enough. The fourth reason suggests the appropriate technique for managing the low-high risks. A brief outline of a procedure for this technique follows.

How to address the low-high risks

After the high-low threats have been addressed using an ROI analysis, the security director considers all imaginable low-high risks, one by one, and makes an estimate of the SOL and the rate of occurrence for each. The report of this analysis should describe the confidence level of each estimate of SOL and occurrence rate. Next, the security director arranges the risks in descending order of SOL, and presents the list to senior management. Senior management draws a line somewhere on the list and says: "The risks above the line are intolerably high. Do something about them." The security director considers each of the unacceptable risks in two ways.

The first approach is to consider how the SOL can be reduced. There are several possibilities:

* Transfer some or all of the risk by obtaining insurance against the risk. The premium will depend on the amount of the loss that is deductible, the maximum insured value, and the underwriter's perception of the hazards. For example, one might obtain insurance against a $100 million SOL exposure with a $10 million deductibility. The intolerable $100 million SOL has been reduced to a tolerable $10 million SOL at the cost of the insurance policy premium.

* Disburse the risk. Replace a single distribution warehouse with an intolerable SOL of $100 million of catastrophic physical damage and service interruption losses with three smaller warehouses with SOLs of $33 million each, sufficiently isolated from one another to rule out shared disasters. The cost will be the incremental cost of the less efficient operation of three warehouses.

* Reduce the vulnerability of the facility. For example, implement an enhanced business resumption plan at some additional cost to speed up recovery off-site. This will reduce the SOL associated with catastrophic service interruption losses to a tolerable level.

The second approach is to consider how the occurrence rate can be reduced. Because of the uncertainty of the estimates of rare-event occurrence rates, this is less satisfactory. Nonetheless, even the uncertain occurrence rate estimates have value. If two risks have the same SOL, but differ by a factor of two in estimated occurrence rate, the risk with the lower occurrence rate presumably represents a lesser danger to the organization.

Having performed these two kinds of analysis, the security director presents a second report to senior management. The report lists the low-high risks, as before, with one or more strategies for treating each risk. If the security director is able to identify a low-cost security measure that reduces the rate of occurrence of a risk to a low enough value, senior management may elect to ignore the risk. There is some rate of occurrence below which risks may be ignored, but it is senior management's responsibility to determine the rate. Alternatively, senior management may elect to take actions to reduce intolerable SOLs. The estimates of occurrence rates, single occurrence losses and the costs of mitigating actions will help senior management to prioritize the implementation of security measures.

Conclusions

The risk model illustrated by "Jacobson's Window" leads to the following conclusions:

* Risks can be broadly classified as high-probability, low-consequence and low-probability, high-consequence. In general, the two classes cause losses of the same magnitude when expressed at an annual rate or annualized loss expectancy.

* High-low risks can be addressed by selecting security measures with a positive return on investment based on the relationship between cost to implement and reduction in ALE. All other things being equal, security measures should be implemented in descending order of ROI.

* Treatment of low-high risks requires the judgment of senior management, based on estimates of single occurrence loss (SOL), and, to a lesser extent, estimates of rate of occurrence. Security measures may reduce SOLs to acceptable levels, or decrease occurrence rates to the level at which risks can be ignored.

* The risk management function should be performed by properly qualified persons, independent of operations and reporting to senior management to ensure that all risks are recognized and resource allocation is unbiased.

Want to use this article? Click here for options!
© 2012 Penton Media Inc.

This month in Access Control

• Targeting The Customer
• Electronic Pedigrees
• One Hero Among Many
• Who? What? When? Where? Why?
• More from September's issue