Tue Mar 10 20:41:42 PDT 2015

Risk Management: Risk definition: How are risk levels for the protection program defined?


Option 1: Analyze risks in terms of financial numbers.
Option 2: Use a 3-level system with low, medium, and high risks defined based on consequences.
Option 3: Use a 4-level system with risk classes I, II, III, and IV per IEC 61508.
Option 4: Combine IEC 61508 with a 3-level system.
Option 5: Use a 10-level system rating risks from 1 to 10 based on consequences.
Option 6: Don't rate risks.
Option 7: Rate systems based on protection objectives.

Ten-level approach:

Risk level Definition
10 Enterprise collapse, massive deaths, or massive destruction
9 .
8 .
7 .
6 .
5 .
4 .
3 .
2 .
1 Minimal or no identifiable consequence.
10-Level Risk model

Three-level approach:

Risk level Definition
High Anything that can put the enterprise out of business, cause large-scale loss of shareholder value, cause significant damage to the environment, cause governmental agencies to stop doing business with you, cause loss of life, get officers thrown into jail, or result in other very serious negative consequences.
Medium Anything that causes substantial negative publicity, substantial loss of business, losses in the range of 5% or more of annual revenues, legal difficulties for officers, workers, or others, things that interrupt production or cause quality control problems in important manufacturing systems, and other events that don't reach the level of high risk but are not in the low-risk range.
Low Anything that is similar in consequence to a slip and fall accident, anything that normal business insurance standardly covers, and day-to-day office issues.
Three-level model

IEC 61508 approach:

Likelihood Catastrophic Critical Marginal Negligible
Frequent I I I II
Probable I I II III
Occasional I II III III
Improbable III III IV IV
Incredible IV IV IV IV
IEC 61508 risk model

Frequent:= Many times in a system lifetime (>10-3)
Probable:= Several times in a system lifetime (10-3 to 10-4)
Occasional:= Once in a system lifetime (10-4 to 10-5)
Remote:= Unlikely in a system lifetime (10-5 to 10-6)
Improbable:= Very unlikely to occur (10-6 to 10-7)
Incredible:= Cannot believe that it could occur (less than 10-7)


Catastrophic:= Multiple loss of life
Critical:= Loss of a single life
Marginal:= Major injuries to one or more persons
Negligible:= Minor injuries at worst

Requirements are:

Class I:= Unacceptable in any circumstance
Class II:= Undesirable. Tolerable only if risk reduction is impractical or costs are grossly disproportionate to the improvement gained
Class III:= Tolerable if the cost of risk reduction would exceed the improvement
Class IV:= Acceptable as it stands, though it may need to be monitored


Analyze risks in terms of financial numbers.

This approach typically uses probabilistic risk assessment (PRA) or a similar system to derive financial metrics that codify expected losses and event sequence probabilities so as to generate expected loss. Defensive measures are then applied to reduce expected loss. The problems with this approach are many, including high cost of the undertaking, inability to accurately codify everything in terms of numbers, difficulty with using probability distributions and confidence intervals instead of fixed numbers to mitigate the inaccuracies with fixed values, the sensitivity of defense selection to minor changes in values used in computations, and inability to list all event sequences of interest. In fact, even the losses associated with events after they take place are often hard to agree on to within several orders of magnitude.

Option 4 is problematic in that it fails to address the basic need to systematically address risks. The Sarbanes-Oxley Act mandates that all public companies undertake to understand and describe business risks internally and to their shareholders, and this notion is sweeping the world as a mandatory component of rational business management. Rational business owners and executives want to understand risks and deal with them prudently. But they cannot do that without gaining a clear understanding of the risks in business terms. For this reason, option 4 should not be used.

Use a 3-level system with low, medium, and high risks defined based on consequences.

Typical definitions are:

This approach is advantageous because it is relatively simple and because it allows defined protection measures to be used for the different risk levels without undue complexity while reasonably addressing the basic needs. More detailed system-specific protection measures are also needed in many cases, but this is a good starting point.

Use a 10-level system rating risks from 1 to 10 based on consequences.

The 10-tier system, or other similar systems with large numbers of levels present advantages and disadvantages. The advantage is finer granularity of control and less bunching of wider ranges of things together. The disadvantage is complexity of understanding and management. For example, there are rarely well codified procedural differences between tiers 6 and 7, different HR requirements, different legal requirements, and so forth. This means that some things change with tiers and some things don't, which makes the system harder to manage and operate. Systems also tend to move from tier to tier more often when there are finer differentiations and people tend to argue over the subtle differences. Another major problem is that there aren't usually ten different levels of surety for protective approaches to any given issue, so the minor differences in the tiers don't result in substantial changes in how things are protected.

Don't rate risks.

While almost all standard approaches to protection call for rating risks, some situations do not require ratings, either because all systems are equivalent in all important ways, or because they are all treated as equivalent regardless of the specifics. While this leads to a non-optimal program in terms of balancing surety with risk, it is also very low cost and simple to do the same thing for all systems and content.

Rate systems based on protection objectives.

When rating risks in other ways, sub-ratings, or definitions of protection requirements are typically also driven by particular objectives of particular systems.

Copyright(c) Fred Cohen, 1988-2015 - All Rights Reserved