Skip navigation.
DIY Online Security
Because it matters and its easy once you know how!
 Basic Computer Security | Online Safety | Terms Of Use | Risks | Feedback
Home

How do you think about & Analyse (Analyze) Risks?

Everyone has a different perception of the word “risks” and how to analyse them in a business context.

Some people prefer to list all the risks that a business can face, give a probability for the likelihood of that risk occurring and then for each likelihood multiply it by its impact, and finally add them all up to give a risk score.

Another way of thinking about risk is to consider the “Annualised Loss Expectancy” (ALE) i.e. what monetary loss can be expected on average to assets over a year. Thus the Annualized Loss Expectancy = sum of each loss expectancy multiplied by its annualized rate of occurrence. ALE is a good technique for dealing with risks which occur reasonably frequently, but is misleading for big one off events.

These traditional ways of thinking about risk have a number of problems, for example: It is very difficult if not impossible to predict all the threats to your business and all the ways your business goals could be attacked. Also the scoring mechanism give only a crude approximation, and tell you nothing about how to deal with each risk.

Dependency Modelling

A more natural way of thinking about risks is to think about a particular goal you are trying to achieve and then to think about all the things you depend on to achieve that goal especially including those outside your control.

This is a very powerful way of thinking since it addresses the following key points:

  • You are performing a systematic decomposition of what steps, actions, dependencies you require to achieve your goal thus giving you an action/project plan to achieve that goal
  • Identifying things outside of your control is a very good indicator of risk.
  • You don't need to try and identify all the threats to your business or all the ways it can fail or be attacked. It's enough just to identify what you depend on and understand that those dependencies can fail. You don't need to know how they can be attacked or fail. You can then desensitise your goal to the impact of the failure of those things you depend on, for instance by putting in additional security measures.
  • The risk analysis technique using dependency modelling was developed by Prof John Gordon in the late eighties/early nineties.

Risk Analysis / Decision Software

There is an excellent software tool called VuRisk to aid you to think and brainstorm about “the things you depend on outside your control” and thus infer their impact on the probably of success of your particular goal or goals.

VuRisk is a general purpose risk analysis/decision tool which can be applied to many areas of business risk including:

  • IT / Computer Security Risks
  • Health & Safety Risks
  • Legal Risks
  • Business Risk

Being able to measure / infer the impact of things you depend on which are out of your control gives you the information necessary to make decisions so that you can reduce your dependency on those things and thus reduce the risk of failure to achieve your particular goal or goals.

The key to performing this kind of analysis is to think about abstract goals or attributes you depend on rather than focusing on specific physical solutions. For example, your goal is really to stop a thief stealing your equipment from the office and not fitting the best lock on your front door. This will then free your mind to think about the real goals and issues as opposed to being distracted by actual physical mechanisms. Having said that, once you have done the analysis, it may show that as part of the things you need to do, it would be a good idea to fit a good lock on your front door.

VuRisk is easy to use as it hides most of the complexity associated with statistics. It has simple graphical interface.

Screen shot of the VuRisk software (risk analysis tool)

The software tool allows you to perform simple as well as very sophisticated risk analyses using dependency modelling techniques. You can get further information about the VuRisk software tool from the website www.conceptlabs.co.uk click on the “Risk Analysis ” link.

Note: VuRisk operates through statistics and cannot predict the future. Even improbable events will occasionally happen.

Bookmark/Search this post with:
delicious delicious | digg digg | reddit reddit | furl furl | yahoo yahoo
» login or register to post comments | email this page | printer friendly version