Risk analysis. A question for you math Guru's out there.

sandman748

I have a problem I am facing, that I'm sure math could give a definitive answer on, but I'm not nearly smart enough to figure it out myself.

I'm faced with a problem that has a 40% chance of occuring. The cost associated with this risk is $1250 per occurance. Assume that if it happens once, it will definately happen again, and one of the below mitigation techniques MUST be performed in an attempt to prevent it from occuring again.

Option 1 reduces the odds of occurance down to 25% . The cost of implementing this option is $5000

Option 2 reduces the odds of occurance down to 2% . The cost of implementing this option is $17,500

If we were to choose option 1 and it failed to prevent the event from occuring, we would be forced to choose option 2.

So do I accept the risk and do nothing, or do I implement one of the two mitigation options? If someone is able to actually calculate this out easily, or point me to a formula that can help me, I would appreciate it greatly.

ptilsen

I have not studied risk analysis or the math behind it, but even with what I do know, I don't think the beginning premise is enough to answer the question. A 40% chance of failing once and costing $1,250, with 100% chance of recurrence is ambiguous. What is the time frame, a year? How often will it recur? What is the cost of it recurring?

My understanding -- again, caveat that I have no training, just basic statistic knowledge -- is that you would need this to first calculate the cost of leaving it unmitigated. If it were just 40% * $1250, the cost would be $500, which is less than the cost of mitigation.

If, however, it goes into service for one year and there is a 40% chance it fails once in a year, costing $1250, then the failure recurs 19 times over the year, costing a total of $25,000, it be $10,000 (.4 * $25,000) to not mitigate at all. It would be .25 * $25,000 + $5,000 = $11,250 to use option one (chance of failure * failure cost plus cost to mitigate). It would be .02 * $25,000 + $17,500 = $5,500 to use option 2, which would be the best option.

Again, that's just my understanding, and it's already making lots of assumptions. Hopefully a true expert can add more, but I think we will need more explanation behind the scenario either way.

YFZblu

How much is the asset worth to the organization?

halaakajan

At the end of the day is the question "Are the upper management willing to spend?"

Asif Dasl

Have a look at this: IT risk management

I'm no math genius but I'll have a go anyway. I'll be covering it on my MBA eventually.

Risk = Likelihood * Impact

That gives you 5 possible outcomes:

40% * $1250 = 500 (You pay for each incident as it happens)
40% * $1250 + $5000 = 2500 (You pay for the first incident, then pay for Option 1 to fix the problem)
40% * $1250 + $17500 = 7500 (You pay for the first incident, then pay for Option 2 to fix the problem)
25% * $5000 = 1250 (You just pay for Option 1 now to fix the problem)
2% * $17500 = 350 (You just pay for Option 2 now to fix the problem)

So going for Option 2 now is the best least riskiest option.

HTH.

ptilsen

That's not quite right. You're multiplying likelihood and cost of mitigation. You need to multiplying likelihood by impact, then add mitigation cost to determine the value of option 1 and 2.

You spend $17,500 for option 2 just to implement it. The cost of option 2 is .02 * 1250 + 17500, based on OP. Similarly, option 1 costs $5,000 + the risk of failure. By no valid math can you make option 1 and 2 cost less than they do to implement.

Asif Dasl

I was multiplying likelihood by impact. The impact being the cost to fix and prevent another occurance.

The numbers in bold are not a dollar value according to this other page I was looking at while doing the calculation.

N2IT

Decision tree - Wikipedia, the free encyclopedia

ptilsen

Asif Dasl wrote: »

I was multiplying likelihood by impact. The impact being the cost to fix and prevent another occurance.

You're not. Look again.

Asif Dasl wrote: »

25% * $5000 = 1250 (You just pay for Option 1 now to fix the problem)
2% * $17500 = 350 (You just pay for Option 2 now to fix the problem)

The $5,000 and $17,500 figures are not the impact. They are the cost of mitigating options. The direct cost of impact is $1,250 no matter what the mitigation costs to implement.

So the correct comparison is between no mitigation, option 1, and option 2. Doing likelihood * impact = risk:
.4 * 1250 = 500
.25 * 1250 = 312.5
.02 * 1250 = 25

The cost of impact is unaffected by what the mitigation costs are (presumably). It costs $1250 when there is a failure. Mitigation reduces that risk, but mitigation is not free. Hence, cost = risk + mitigation cost = mitigation cost + probability * impact:
0 + .4 * 1250 = 500
5000 + .25 * 1250 = 5312.5
17500 + .02 * 1250 = 17525

However, OP specifies an ambiguous risk in the form of a guaranteed recurrence of the failure lacking cost and frequency. Without knowing how often the failure will actually recur, if occurring once means it is more likely to occur again, we can't really use this formula for anything.

Asif Dasl

Where can I see your formula for future reference and for the OP too..

ptilsen

I'm using the same formula you are, just adding the cost to mitigate in there. If we're expressing risk = impact * probability as a cost, e.g. $500, then adding the up-front cost to mitigate using option 1 or 2 makes sense.

Logically, if it only costs $1250 when the failures occurs, $5,000 or $17,500 on mitigation would be a losing bet.

Asif Dasl

I think we are getting a little confused here. I was talking about risk not return on investment. Calculating ROI as a % of Cost of Risk is a different formula. To me, Option 2 is less risky. But using this other formula, then yes, you are right but that's not how you explained it - which didn't sound right to me.

I think that new formula is the right one. So Option 2 is less risky but paying per incident is likely a better ROI assuming there is less than 4 incidents (in a year?). Depending on how many incidents happen in a year (or lifecycle) then Option 1 or Option 2 could represent a better ROI. The OP needs to explain that a bit better.

ROI => 0 / (40% * 1250) => 0/500 = 0
ROI => 5000 / (25% * 1250) => 5000/312.5 = 16
ROI => 17500 / (2% * 1250) => 17500/25 = 700

Correct me if I'm wrong here...

N2IT

Without a decent forecast of occurances it would like trying to hit a moving target. Will this happen 3 times or 3000 times?

Only thing I can think of is to look at historical data and then run it through several simulations then come back and build your decision tree.

Do you have similiar systems or infrastructure you can compare the occurences against? First you need good data and then you can start to perform value analysis. Like I mentioned before I would run your data through some simulations to develop a estimate first.

wes allen

I think you need to annualize both your risk and your mitigation costs before you can do a solid comparison of the option. But, if it happens less then four times a year, and you option one cost is per year, then you are better off accepting the risk financially speaking. To me at least, coming up with the initial numbers is the hard part where most people have trouble.

Some links - Resources - CXOWARE

sandman748

Sorry for the delayed response. I appreciate your input thus far. I guess I may not have worded this right. This question was a hypothetical question asked of me by our new Info Sec manager. I am sure his goal was to just to initiate some thinking on my part. I may not have explained properly.

The initial question was regarding an incident where a "breach" caused a failure that would take "x" number of hours to rectify. Other than manpower there is no other risk to the company (Reputation loss, financial loss, etc..). Since the costs of all the mitigation techniques were expressed in dollars, I converted "x" number of hours into the equivalent wages instead of man hours. Basically there is a 40% chance of an attacker discovering a specific vulnerability. How he got this number is trivial as the number could be anything. The method of determining the answer is the important part.

So anyway in this scenario, once the vulnerability is known, we must take action to mitigate the problem. We are no longer able to accept the risk as it is now near 100% to occur on a regular basis. If the problem occurs, we are going to be spending the money on option 1 or 2 + the 1250 cost of occurrence. That being said, It didn't occur to me that frequency is obviously a factor. Even at 100% chance of occurring, if it happens less than the cost of mitigation, its still cheaper to just allow it to happen. Which doesn't really seem right to me.

Here were my thoughts over the weekend

Do nothing, breach occurs, attempt option 1, and if that fails implement option 2: 40% x (1250+5000) + 25% (1250 + 17500) = 7187.5
Do nothing, breach occurs, go direct to option 2 : 40% x (1250 + 17500) = 7500
Attempt option 1, follow up with option 2 if necessary = 5000 + (.25 x 17500) = 9375
Skip straight to option 2 = 17500 (no math needed)

Does my math seem right? I feel like I've over simplified what is probably a more difficult problem. It appears to me that doing nothing, then trying to resolve it as cheaply as possible is the best way to go. Even though you could potentially end up spending more in the long run, the likelihood of it never occurring or being mitigated on the cheap, makes up for it. If my math is right, this is completely against my initial reaction to the question, which was to fix it now.

I apologize for not disclosing the fact that it was a hypothetical question. Your responses have been helpful in learning an area that is way outside of my normal realm.

dover

Here's a wishy-washy answer....it depends

What is the value of the asset(s) being impacted?

Use that to determine Single Loss Expectancy
SLE = Asset Value * Exposure Factor (the % chance of the threat meeting a vulnerability in the system=)

Then, as mentioned earlier, you need to determine the Annualized Rate of Occurrence - how many times the impact is likely to occur. Doesn't seem like he's given any indication of how many times it is likely to happen. You'd have to do your own research to determine if it has happened to others, or to your own organization historically.

Like Wes said, after you can quantify those two variables (even if they are estimates) then you can come up with your Annualized Loss Expectancy
ALE = SLE & ARO

And finally with that info you calculate your ROI/TCO
TCO > ALE is a good investment

But ultimately it is management's decision on what controls to implement if any - they just need you to provide a comprehensive understanding of relative risk and impact to the organization so they can assess this with their risk appetite in mind.

So basically, I just typed a bunch of words and got you no closer to your answer. Like Wes and N2IT said, trying to complete a purely quantitative risk analysis is difficult because you need concrete values so your analysis accurately reflects the true costs to the organization.