Just ask a security professional about the essence of the profession of hers or open a book about the basics of security, I guess with no doubt it will start somewhere around the explanation of risk and the need of risk management. It is obvious for anyone, who works in this sector, security is about risks. An event may happen in the future with some certainty and will cause unwanted impact; yes this is the definition of risk and this is something to deal with in the domain of security. The only question then, why is it that hard to find an efficiently working risk management and why can we hear so much complains from the experts about the lack of risk awareness in the management? Especially if we consider the importance of security. That security that is build around the risk.
One of the reasons why the risks are neglected (at least more than we’d like to see it) is perhaps because of those financial decisions where they are left out.
How do I mean and how should risks and risk decisions be approached then?
We all know that the the profit goes like this:
The income reduced by the cost, which is quite ok from cash-flow point of view. When it comes to decision we might use something else, for example we’d take the Net Present Value:
The calculation takes the revenue (income – cost) and discounts it to the present. If the NPV is positive than go else no-go. So far so good.
But what about the risks?
Usually they are living their own life. The risks are subject of a separate decision process, not too rarely with arguable success. We all know the theories of qualitative and quantitative risk assessments, the different risk response strategies and procedures of several risk management methodologies. The common in those that each and every are complex, takes time and other resources to execute, requires expertise and practice, uses foggy definitions like risk appetite, too often doesn’t care about the cost and feasibility factors, neglects the reality. So too often neglected (at least more than we’d like to see it).
As someone who works with security, of course I’m not saying that risk assessment and risk management is needless, of course I strongly believe that we must focus on risks. Risk consideration must be part of the decisions just like the resource consideration. But integrally, at the same time.
In general in a two factor decision we know that we need to give up something to gain something else. When we go shopping we are fine to pay for the benefit we’d like to have. In order to have revenue we must give up some of our resources. And of course, for maximizing the profit we must find the balance how much we are giving to take something else.
This is the basis of every financial calculation. Of course, it’s not simple like this. There is always uncertainty in our decision, we can never know what will happen, we cannot be sure that our decision was right, there are external effects hard to predict or even cannot be predicted. This uncertainty will lead us to the risks. We must take some risk with every action we take, or as it said ‘no risk no reward’. But risks – as possible loss – are not really welcome since those have negative effect to the profit. So what can we do? For instance we can give up some of the revenues to lower the risk or we can take more risk for potential benefit. We have to choose again.
But there is something else we can do, we can still reduce the risks by allocating more resources. We can make more investigation (which takes time and effort), we can apply more resources for more safeguards, or we can add extra cost for assurance. However we’d like to increase the profit with lowering the resource consumption, in order to reduce the risk (the possible loss) we might want to give up this intention. The intention of risk reduction and the intention of resource saving are working against each other.
Let’s put the above things together.
We have three factors in the same system, revenue to increase, risks to minimize, and resources to decrease (let’s call them the three “R” factors). In order to maximize the profit, we just need to find the balance by giving up an intention to fulfill another. This is the fundamental reason why we can claim that the approach of having just two out of these might lead us to an inaccurate decision. Leaving out the risk factor from the financial decisions or leaving out the revenue or the resources from risk decisions equals to an improper conclusion. So far probably the title of this article should be just decision pattern since it is not limited to only risks.
Actually the described pattern is already used in other management scenarios, for example this is very similar to the project management’s pick two theorem. We can substitute the the revenue with the scope, the resource with the cost and the risk with the quality, but I’d rather say instead of pick two out of the three we should find the balance.
No, it is definitely not easy (and I’d say majority of the times it’s not even necessary), but let’s see how it looks like. At least in theory, and with just two factors.
As we examined how the risks can be reduced, we saw that the possibility is to give up some of the resources or some of part of the revenue. If we’d put this into a graph we’d see, that the shape of risk function were convergent to zero. Meaning that as we are adding more and more measures in a right order, the risk level is decreasing with less and less steepness and hitting the axis only in the infinity.
With no protection the risk is a certain loss, while no matter how much of measures you have added already, there will be always something to add and practically you can never reach a risk-less state.
At the same time while you are working on the risk mitigation, adding the measures takes more and more resources (we call it the cost of mitigation). Moreover achieving more reduction in the risk level from state to state, not just more cost is needed, but this increase will be exponential.
Let’s not forget that the risk is actually loss of assets or resources with some probability
therefore the dimension of the risk is the same as the dimension of the resources so the cost (resources to spend).
Now we have two functions. Both are negatively effecting the profit: the risk later as a probable loss and the cost immediately. By adding them to each other, we will have the summary resource trend in function of the quantity of applied measures.
The next task is obvious, we should find the local minimum of the sum function, that will be optimal amount of measures to be applied with the optimal cost to spend and the optimal risk to take.
Let’s have a small math exercise. In nutshell, from the Fermat’s theorem we know that in the minima of a differentiable functions the function’s first derivative must be zero. What else we know? We know that the observed function is a summary function and we also know that the derivative of a summary function is a summary of the derivatives of its components:
It means that in order to have zero value of our summary derivative function (that consists of two components), the absolute value of the components must be equal, but their signs need to be different.
In other words we are looking for the point where the slope of the risk function is the same as the slope of the cost function but with different direction.
We can use this observation when it comes to decision on the risk and cost balance. With a decision we have to choose between at least two options (in the simplest case go or no-go). All these options have attributes and with the decision we are comparing the changes of those attributes. In short we are deciding about the deltas all the time. With ref to our previous observation we can say that we have the optimal amount of measures when with a single change the cost increase (delta cost) is equal with the risk reduction (delta risk).
In other words if the cost of risk mitigation is less than the risk reduction than it’s fine to mitigate, but if we cannot achieve equal or more risk reduction than the cost to spend, than we should accept the risk.
Just one more thought before summing up. Since with with risks we are in the fields of probability theory, we need to talk about a the dispersion as well. Practically the dispersion here will define a range of the expected risk and will result a range in the the sum function as well.
As it can be also observed in the chart, now we have two minimum of the sum function to consider. The sweet spot of the decision is somewhere between the two, so we have some room here according to our risk acceptance behavior. Better the risk evaluation (even if it’s not formal) these two minimums are closer to each other, but having better risk evaluation also requires resources.
However describing the basic theory we haven’t touched a list of other things (for example the time factor or the combination of the three “R” factors), we might have some conclusions. As conclusion we can say that the goal of minimizing the risks is false, instead we have to optimize them. With this optimization the protection of the assets should not be proportional to their value, but should be a decision that considers the possible change of the risk and the price of that change (of course the risk value will be higher if the asset value is higher). Risk mitigation is just like other goods, we have to buy it for a price it worths. This price can be the intentionally missed revenue or direct resources.
Along with the theory above in the real practice of decisions we are rarely performing formal analysis of risks and mitigation cost of different scenarios. Rather – and this is very in-line with the (not just) human nature – we are applying well-known and well-tried patterns for different situations. This is the reason why an organization should have a collection of those patterns as part of its common knowledge.