Welcome to NBlog, the NoticeBored blog

Like the finer things in life, quality trumps quantity.

Aug 29, 2013

Analog Risk Assessment method, ARA [UPDATED]


A multi-part blog piece by Brad Bemis suggesting the use of a simplified/standardized risk analysis process for the purposes of PCI-DSS led me to look into a quick/rough-cut information security risk assessment method based around just ten yes/no questions, that Brad recommends.  The method's inventor, Ben Sapiro, calls it "Binary Risk Analysis" [BRA] to emphasize those yes/no choices, implying a degree of simplicity and objectivity to the method (although some have questioned that: forcing users to choose in this manner merely causes them to collapse or shoe-horn each of their subjective opinions into one of two boxes, which does not make them any less subjective, and if anything makes them more constrained).  The ten questions in BRA lead the user through the process of evaluating the frequency and severity (albeit called "threat likelihood" and "threat impact"), key factors that are commonly used to evaluate risks.

It occured to me that it would be even quicker and easier, and in fact no less accurate, for a competent person to assess and plot the probability and impact elements of relevant incident scenarios directly.   

Since Ben's method is "binary", I've called mine "Analog Risk Assessment" [ARA]! 

I'm not saying analog is inherently better or worse than binary, just different.  It happens to suit my way of thinking and, judging by the popularity of this blog item, others are similarly inspired.  The colorful graphic (a metric) is an excellent way to consider and discuss risks in workshops etc., and to summarize the findings for management decisions, naturally focusing attention on risks in the red zone.

Whereas I've labeled the axes "Likelihood" and "Severity", you may prefer similar terms such as "Likelihood" and "Consequences" (reflecting the ISO/IEC 27000 definition "Level of risk: Magnitude of a risk expressed in terms of the combination of consequences and their likelihood”).  

In the same spirit as Ben, I'm very happy for anyone to use ARA or develop it further under a Creative Commons license:

Creative Commons License
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.


Enjoy!

Regards,

7 comments:

  1. A very similar red-amber-green coloured graphic - or risk metric - has been proposed for inclusion in the revised version of ISO/IEC 27005, plotting impact against liklihood. The approach seems to be widely accepted.

    ReplyDelete
    Replies
    1. There's yet another in FAIR: see https://www2.opengroup.org/ogsys/jsp/publications/PublicationDetails.jsp?publicationid=12239

      Delete
    2. There's another without the RAG-shading in the National Risk Register, a UK Government report on major risks to the UK: see https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/61934/national_risk_register.pdf

      I'm tempted to re-draw their figure 1 on page 5 in the colour-coded ARA style with inverted axes but even in its original glorious monochrome, it's clear that the approach is a valuable way of comparing and discussing markedly different risks on an even basis.

      Delete
    3. This year's version of the UK National Risk Register [Of Civil Emergencies] has an updated risk graphic in much the same style, except that they have divided the axes into categories and hence the graph area is full of neat little boxes: https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/419549/20150331_2015-NRR-WA_Final.pdf Despite appearances, I doubt it is any more accurate or precise than the one without scale markings.This year's version of the UK National Risk Register [Of Civil Emergencies] has an updated risk graphic in much the same style, except that they have divided the axes into categories and hence the graph area is full of neat little boxes: https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/419549/20150331_2015-NRR-WA_Final.pdf Despite appearances, I doubt it is any more accurate or precise than the one without scale markings.

      Delete
  2. Where is the actual ARA there doesnt appear to be a link for it?
    Thanks :)

    ReplyDelete
  3. Errr, oh, I thought it was obvious. Well OK then, here you go, ten step-by-step instructions on using the ARA approach:
    1. Identify a bunch of possible risks, incidents or concerns in the area that interests you, using your experience, incident statistics, other risk analyses, brainstorming and crystal-ball-gazing.
    2. For each one, estimate roughly how likely it is to occur, relative to the others. That gives you its position on the likelihood axis.
    3. Also, if it did occur, estimate the damage that would be caused, again relative to others. That gives you its position on the severity axis.
    4. Plot each of the items at the appropriate positions on the graph.
    5. Circulate and discuss the initial graph with management, typically in a meeting or workshop. Describe the items shown, explaining why you think they are where they are. Compare and constrast items on the graph. Shift things around if there is consensus or pressure from the group. Add significant new items if they come up in discussion, and combine or remove others if that makes sense. Link or group related items if that helps.
    6. When everyone is reasonably happy with the graph, move on to discuss what needs to be done in response. Emphasize and prioritize anything in the red zone, or others that might be heading that way. Look for creative solutions such as controls that will address multiple items, or opportunities to avoid or transfer risks to third parties.
    7. Draft an action plan, ideally with priorities, target dates and named individuals who accept responsibility for leading the actions arising.
    8. Get agreement on the action plan and initiate the work (if not already under way).
    9. Track and drive actions, altering the positions and nature of items graph as you make progress.
    10. From time to time, reconvene to review progress, and perhaps apply the same process to other areas of risk. Wash, rinse, repeat.

    No need for a fancy app or "methodology" as such. No expensive training courses. No crack team of consultants. Even a computer is optional, although personally I find a graphics package improves on my hand-drawn-in-crayon-on-the-back-of-an-envelope efforts. The big advantages of ARA are its simplicity, speed and low cost. Put more of your energy into discussing, understanding, and most importantly treating the risks. It's an excellent antidote for the 'paralysis by analysis' that so often afflicts organizations who find themselves locked into horrendously complex methods.

    Best of all, it works well in practice. Why not try it out and let us know how you get on?

    ReplyDelete
  4. Hi Gary. I want to use ARA for enterprise risk management applications. I will come back here and share the outcome. Cheers!

    ReplyDelete