As Confucius said “To know that we know what we know, and that we do not know what we do not know, that is true knowledge" and this is the primary objective to undertake realistic risk assessment than an uncertain one. Both risk and risk assessment are impacted by uncertainty. The intent is to assess a realistic ‘risk’ and reduce the ‘uncertainties’. Ill-informed inputs or lack of clarity, as to how to identify, analyze or evaluate risks, could potentially lead to disastrous outcome or uncertainty of meeting objectives. A frameworks like OCTAVE-Allegro, FAIR, ISO31000, ISO27005 can be used to establish accurate impacts, probabilities or strengthen risk assessment. One start point for evaluation can be to decide whether the assessment approach for dynamic systems should be quantitative or qualitative? Decision making without all necessary information for quantitative risk assessment may only increase uncertainties towards arriving at risk values. There may be lack of quantitative historical data. Therefore, the qualitative methodology could emerge as a logical approach in certain circumstances.
The risk assessment methodology has to take into consideration challenges brought out in above paragraphs including following critical factors and recommendations like:
- Ensure clarity on all possible threat factors that may constitute a hazard to assets operating in an environment. We also need to take into account the deliberate abuse possible, human motives, targets and scale of an attack they can wage.
- Set the context and situational factors correctly. However, do not overly complicate things by according undue importance to certain threats or vulnerabilities. Risk assessment is about finding the right balance and reducing uncertainties for realistic risk identification, analysis and evaluation.
- Draw from the experiences of established subject matter experts available in the absence of adequate historical data. A strong recommendation is to use Delphi technique with aggregation of responses through anonymous summary, or in its absence use industry best practices or templates wherever possible.
- When assessing high-risk technologies, probably evaluate an ‘Agile’ approach against traditional ‘Waterfall’ methodologies.
- Re-clarify the correctness of decision thresholds if required, re-evaluate the assumptions and premise of the risk assessment process to cater for new dimensions of threat acting in an particular environment that could impact you or lead to an un-usual risk.
- Ensure top down sponsorship from business leaders, who should provide the commitment and encourage participation. It shouldn’t become difficult to persuade business leaders to act on counter-measures after risks are evaluated and put in a language they understand. While risk management does not directly contribute to revenue, but it helps in balancing between risk taking and risk aversion. The assessment approach should remove the risk clutter to help business to stay afloat and operate.
It is essential to explore possibility space, measure impacts through rigorous information gathering, threat modelling, multiple hazard simulations & trials etc. The intent is to exhaustively remove uncertainty in risk assessment and be better prepared for evolving risks to the business. Challenge the framework, if you think there are potentially grey areas. The confidence in the risk assessment methodology by accommodating challenges brought out above is essential to reduce uncertainties that dominates the decision making processes. Confidence will grow and uncertainties will reduce as the project progresses.
Authored by Kinshuk De