Risk as a Calculation
The problem is that we don’t typically have a disciplined methodology for arriving at a plan of action. Consider the following: You have to know what the loss is that you are trying to avoid. Sound simple? I assure you that most money is spent protecting assets without any regard to the loss that they represent. Remember, it’s not the laptop computer that you are protecting per se. It is the monetary value of some aspect of that asset. It could be the replacement cost of the asset. Do you think that would change your view of what was needed as a control? Of course! The replacement value of the computer is only a factor if you physically lose the computer or it is broken through physical damage. Anti-theft devices, padded carrying cases, security awareness training for employees are all possibilities but if the cost of these measures exceeds the cost of the computer then I’m guessing that you wouldn’t be likely to apply them. You may do some but not all and it would depend on analysis of which would represent a greater cost reduction.
Let’s take a look now at the calculation of risk. Why is it so rare that organizations, particularly in the public sector, invoke mathematical discipline on such an important issue. It isn’t really high level math either but rather some rudimentary calculations as tools. Consider the following simple variables.
•ARc = Absolute Risk of the general community (expressed as a percentage).
•ARt= Absolute Risk of the assets treated with a given control (expressed as a percentage).
•ARc - ARt= ARR (Absolute Risk Reduction)
Example: Let’s say that the risk of a desktop being rendered unusable due to malware is the concern. This is an easy calculation for an organization by simply asking “what percentage of my computers do I have to rebuild every year?” So let’s say that our organization rebuilds 10% of its desktops each year. And we are a typical organization.
ARc= 10%
Let’s further suggest that if we buy a particular additional technology that the absolute risk will be reduced to 5% or that it is base on industry analysis.
ARt= 5% Therefore: ARc- ARt= 5%
An absolute risk reduction of 5% doesn’t sound like a big deal but here we have another result called Relative Risk (RR).
RR = ARt/ Arc or in this case .50 or 50%
This is a Relative Risk Reduction (RRR) of 50% and that is a useful piece of information. If the cost of reimaging a computer is $5000 then the $5000 X the number of computers affected could add up. Let’s do the math.
Say your organization has 1000 laptops and the odds are 1 in 10 that you will have to re-image one. Another way of putting it is that you typically reimage 100 laptops per year at a cost of $500,000. Now we’re talking big bucks. If you can reduce that risk by 50% then you will save $250,000 in operational cost. There is only one pertinent question and that is how much will it cost to implement these protections. Let’s say the cost of the technology under consideration is $60 per client. That’s $60,000 to save $250,000. That sounds like a good deal with a total cost of $310,000 instead of $500,000 for a savings of $190,000.
There is no need to stop here and indeed wise analysts will consider further. Because we look at risk in terms of cost, the cost of re-imaging an asset should be considered as a legitimate risk contribution. What if it didn’t cost $5000 to re-image a computer? What if by automating that effort we could reduce the cost? That would affect the risk equation. We know that the components of the reimaging cost are not only the manpower but the non-productivity represented by the loss of that asset for a several days while we re-image and deploy the new asset.
Let’s go back to ARc of 10%. Let’s say that by considering automation instead we are able to reduce the manpower in half and shave 2 days of lost productivity off the equation and lets say that that gets the cost down to $500 per unit instead of $5000. Now we are talking about a 90% cost Reduction or a new cost of $50,000 for ARt instead of the $500,000.
Let’s further say that the cost of this technology is not $60,000 but $150,000. This gives us a total cost of $200,000 for this solution. This sheds a whole new light on the matter doesn’t it. Which risk reduction option would you choose? Would you choose both? Remember that you could have a cost of $310,000 with the first technology or $200,000 for the second. What would be the cost of both.
First let’s take the cost reduction of the automation to get the cost down to $500 per asset. If we re-image 100 assets at a total cost of $50,000 we know from the previous exercise that our total cost is $200,000. If we add to that savings the 50% reduction in assets to
remediate we save another $25,000 but our cost for that additional savings is $60,000. We didn’t really even need the last step since the $50,000 in reimaging cost as the new Arc is less than the proposed technology cost to reduce the number of assets to be re-imaged.
There are other risk factors besides the cost of re-imaging an asset and the loss of productivity. We didn’t consider the value of the information that may have been compromised or the nature of that compromise but the point is that the discipline of going through the various calculations for each risk ensures that we are proposing the right products for the right controls to address our customers’ problems.