Calculating Risk – Where’s your Confidence?!

Calculating Risk – Where’s your Confidence?!
05/03/2020 Comments Off on Calculating Risk – Where’s your Confidence?! CISO Blog, DPO Blog, Operational Resilience Blog, Security Advisory Blog EditoratLarge

When helping organisations navigate risk management Fox Red Risk is often faced with the task of determining methods for calculating risk. We prefer to use tried and tested methodologies but what we often find is that organisations, very rarely, are calculating risk properly. A key thing missing from the majority of implementation we see is the complete absence of confidence when calculating risk. A confidence component to calculating risk is absolutely critical to the credibility of the output…here’s why…

Calculating Risk – Impact and Likelihood

Whenever you ask the average risk practitioner involved in calculating risk they will often default to the most basic form of risk calculation:

Risk = Impact x Likelihood

But it’s a bit more complicated than this. Risk is defined as “the effect of uncertainty on objectives” in ISO 31000:2018. Likelihood is defined as the “chance of something happening” and Impact is not explicitly defined and is only mentioned once in the whole standard (6.4.2). When calculating risk this is not, however, a bad way of going about things. But there is one other component that is missing when calculating risk…confidence!

How confident are you?

Confidence is mentioned in ISO 31000:2018 (see section 6.4.3 – Risk Analysis). When calculating risk, ISO 31000 states:

“Risk analysis should consider factors such as sensitivity and confidence levels.”

In my humble opinion, this does the risk management practitioner no favours by making such a component optional (“should” consider not “shall”) when calculating risk because confidence is absolutely critical. A practitioner must be able to state consistently and with repeatability, the confidence they have in the risk reporting they are providing to their organisation’s leadership. When calculating risk you must provide a confidence level!

Calculating risk – What is a confidence level?

Now I am going to be careful here and state that confidence intervals and confidence levels have very specific statistical meanings. You can find out a bit more about the statistical terms here. Suffice to say, from a real-life application perspective, and in lay terms, we are putting a % figure on how confident we are with the way we are calculating risk data. 0% confidence level means there is no faith at all that, if someone else repeated the risk analysis, the same results would emerge. A 100% confidence level means there is no doubt at all if the risk analysis was repeated someone else would get the same results.

As you can see when calculating risk, confidence is a critical factor. This is because if you can’t show the Board how confident you are in your analysis, how can they possibly make any meaningful decisions from the reporting?! It is quite possible the reason why many of these pseudo risk management models fail to garner the attention of senior management – they themselves will subjectively assess the confidence level of the data because they haven’t been provided with a credible objective measure of confidence!

Calculating risk – How do I calculate confidence?

If you’re using a mathematically-based methodology for calculating statistical probability then confidence is usually already a factor in the calculation (YouTube Apples). In the Apples video tutorial, you can see how it is calculated for a sample of apples but what about calculating confidence intervals or confidence levels for something more abstract. For those who are a bit more adventurous, you can look at how it is done in the field of medicine here (YouTube Medicine – Qualitative Data). In the second example, one could just as easily replace constipation with a malware infection.

But I don’t have a lot of data – my confidence is going to be really low!

Ok. so you may be at the start of your risk management journey and may not yet have collected that much data. The doubt then sets in. It’s then quite easy to start thinking…

“If I haven’t got that much data so when I go to the senior management team and my confidence intervals are massive then it’s going to make me look like I am just guessing.”

Well, the truth is, the wider your confidence intervals, the more likely you are just guessing. Be honest with yourself about that first. Once you’re honest about it, then you can start collecting more data and that in turn will make your risk analysis more accurate. Your confidence intervals will then decrease and your confidence levels in the data you’re reporting will increase. Just remember the old adage. Do what you can, where you are, with what you have. Have an honest conversation with your leadership about what you can do with what you have and let them know that with more data you can make more accurate risk management predictions.

Calculating risk properly will save your company money!

A bad risk management framework is costing organisations money but a risk management framework that is calculating risk properly will do the opposite. It can identify opportunities for improvement and opportunities to become best in breed. The more accurate you can prediction risk, the more money that can be saved in terms of risk mitigation. If you’re worried about not having enough data, as has been discussed in another article, you have more than you think.

If you need help working out how to develop and implement a solid risk management framework. Get in contact. Fox Red Risk can help!

About Fox Red Risk

Fox Red Risk is a boutique data protection and cybersecurity consultancy and Managed Security Service Provider which, amongst other things, helps client organisations with implementing controls frameworks for resilience, data protection and information security risk management. Call us on 020 8242 6047 or contact us via the website to discuss your needs.

22301:2019 article 25 article 28 awareness bcms breach change management ciso controller cybersecurity data breach data privacy Data Protection data protection by design data protection officer data protection service Data Subject Access Request DPO DSAR GDPR incident management information security leadership management operational resilience Outsourced DPO Privacy processor resilience risk risk appetite risk management ROI security security as a service small business soc strategic strategy Subject Access Request training transparency vciso virtual ciso vulnerability scanning

About The Author