Risk Management: Risk definition: How are risk levels for the protection program defined?
Option 1: Analyze risks in terms of financial numbers.
IEC 61508 approach:
Frequent:= Many times in a system lifetime (>10-3)
Catastrophic:= Multiple loss of life
Class I:= Unacceptable in any circumstance
Decision:IF there is a highly advanced risk management programs AND justification for ten different protection profiles AND ten different levels of countermeasures are well defined, THEN use a 10-level system rating risks from 1 to 10 based on consequences AND rate systems based on protection objectives,
OTHERWISE IF the protection program is capable of varying protection continuously AND everything of import to the enterprise is reconcilable in terms of money, THEN analyze everything in terms of financial numbers AND rate systems based on protection objectives,
OTHERWISE IF a small number of systems are involved OR all systems have roughly equivalent risks OR protection is not to be differentiated between enterprise systems, THEN don't rate risks,
OTHERWISE Use a 3-level system with low, medium, and high risks defined based on consequences AND rate systems based on protection objectives.
Basis:Analyze risks in terms of financial numbers.
This approach typically uses probabilistic risk assessment (PRA) or a similar system to derive financial metrics that codify expected losses and event sequence probabilities so as to generate expected loss. Defensive measures are then applied to reduce expected loss. The problems with this approach are many, including high cost of the undertaking, inability to accurately codify everything in terms of numbers, difficulty with using probability distributions and confidence intervals instead of fixed numbers to mitigate the inaccuracies with fixed values, the sensitivity of defense selection to minor changes in values used in computations, and inability to list all event sequences of interest. In fact, even the losses associated with events after they take place are often hard to agree on to within several orders of magnitude.
Option 4 is problematic in that it fails to address the basic need to systematically address risks. The Sarbanes-Oxley Act mandates that all public companies undertake to understand and describe business risks internally and to their shareholders, and this notion is sweeping the world as a mandatory component of rational business management. Rational business owners and executives want to understand risks and deal with them prudently. But they cannot do that without gaining a clear understanding of the risks in business terms. For this reason, option 4 should not be used.
Use a 3-level system with low, medium, and high risks defined based on consequences.
Typical definitions are:
This approach is advantageous because it is relatively simple and because it allows defined protection measures to be used for the different risk levels without undue complexity while reasonably addressing the basic needs. More detailed system-specific protection measures are also needed in many cases, but this is a good starting point.
Use a 10-level system rating risks from 1 to 10 based on consequences.
The 10-tier system, or other similar systems with large numbers of levels present advantages and disadvantages. The advantage is finer granularity of control and less bunching of wider ranges of things together. The disadvantage is complexity of understanding and management. For example, there are rarely well codified procedural differences between tiers 6 and 7, different HR requirements, different legal requirements, and so forth. This means that some things change with tiers and some things don't, which makes the system harder to manage and operate. Systems also tend to move from tier to tier more often when there are finer differentiations and people tend to argue over the subtle differences. Another major problem is that there aren't usually ten different levels of surety for protective approaches to any given issue, so the minor differences in the tiers don't result in substantial changes in how things are protected.
Don't rate risks.
While almost all standard approaches to protection call for rating risks, some situations do not require ratings, either because all systems are equivalent in all important ways, or because they are all treated as equivalent regardless of the specifics. While this leads to a non-optimal program in terms of balancing surety with risk, it is also very low cost and simple to do the same thing for all systems and content.
Rate systems based on protection objectives.
When rating risks in other ways, sub-ratings, or definitions of protection requirements are typically also driven by particular objectives of particular systems.