« Return to Blog Listing

Two Questions Every Risk Assessment Should Answer - Part 2

Two Questions Every Risk Assessment Should Answer - Part 2

by Isaiah McGowan on Sep 27, 2016 4:15:00 PM
Two_Questions_Every_Risk_Assessment_Should_Answer_-_Part_2.jpgIt’s not enough to be able to make comparisons of risk to answer the question: “as compared to what?” We also have to articulate how we came to our conclusions.

In part 1 we discussed the implications of answering “as compared to what?” in reference to resource allocation decisions such as:

  • Improving existing controls
  • Dialing back existing controls
  • Business cases for solutions
  • Project prioritization plans
In this post we will tackle the second question: “how do you know that?” Decision makers seek to understand the risks we present to them. To that end, they ask questions such as:
  • How does this align with our experiences?
  • Are our peers experiencing something similar?
  • What data did you use?
  • Who did you work with?
These data-related questions are variations of the philosophical question below.

Ask the philosophical question

I call this the ‘philosophical’ question because sometimes discussing risk is an exercise in apologetics. Results are often defended with statements like these:

  • “It feels like a minor problem”
  • “I just know this problem will be bigger in the future"
Statements such as these cannot be validated in a meaningful way. As risk practitioners we must move away from this type of discourse. We should seek to make our work more scientific. What I mean by that is, our approach should be as rigorous and objective as possible. For a risk assessment process to be rigorous, it must be logical so the results can be tested and possibly invalidated. To be objective means to leverage raw data over subjectivity whenever possible. When risk assessments follow a rigorous model and leverage objective data, they answer the question: “how do you know that?"

Leverage a rigorous model to enforce critical thinking

Answering the philosophical question amounts to defending our results. The first step toward making risk assessments defensible is employing a logical method (e.g. Factor Analysis of Information Risk [FAIR]). If we fail to approach risk methodically, any of the following problems will drive our assessments off the rails:

  1. Reliance on mental models 
  2. Cognitive bias
  3. Action based on untested assumptions
The foundation for defensible results is leveraging a rigorous risk model. In the least, we can move away from the abused ‘wet finger in the air’ approach. That’s the underlying value of the standard FAIR risk model.

Readying yourself for any question

One of the elements of rigorous analyses is the requirement to document guiding assumptions and data sources. Both help us to express how we came to our conclusions. In the FAIR-based RiskLens softwarethat usually takes the form of data input ranges and levels of confidence in the data, backed by well-documented rationale. The figure below shows an example from our Cyber Risk Quantification application.
This approach allows us to answer any question with a reasoned response. We can reveal how we know what we know by articulating:
  • Collaborators
  • Data sources
  • The approach taken

Elevate your risk conversations

Following a rigorous approach allows us to logically incorporate data and systematically document our guiding assumptions. When we do this, we push our risk assessments towards the scientific realm. The main side effect is improved trust with decision makers. Over time the burden of detailed proof will diminish as our systematic approach proves reliable.
To see more examples of articulating risk in a scientific way through the use of the standard FAIR model, download any of our case studies.
This post was written by Isaiah McGowan

Isaiah McGowan is a Cyber Risk Scientist for RiskLens

Connect with Isaiah

Sign Up for Blog Updates

Recent Posts

Popular Posts