Blog

# Dealing with risk

The uncertainly of events has two components: the likelihood of an event and the impact of an event. Likelihood is usually defined as a probability of an event occurring, while impact of an event is usually defined by the financial loss that accompanies an event. Multiplying the probability of an event by the loss that accompanies an event gives us a way to quantify the risk associated with an event. Risk is the amount that we expect to lose by a certain activity.

In a hypothetical example, suppose that the data on each of our laptop computers is worth \$10,000 and the laptops themselves are worth \$1,000, and that there is a 10 percent chance of a laptop being stolen in a one-year period, resulting in a loss of the data on the laptop as well as the laptop itself. This means that the risk from using laptops represents \$1,100 of risk per laptop per year.

Once we understand the level of risk involved in using a particular technology, we need to decide how to manage this risk. We have four general ways to manage risks: avoidance, reduction, transfer, and acceptance.

If we decide to avoid a risk, we might simply refuse to use a technology that causes a risk. In our example of laptop computers, one way to deal with our hypothetical \$1,100 of risk is to ban the use of all laptops in our organization and accept the implications of such a decision. In some cases, this may actually be the best way to deal with certain risks. In our hypothetical example, if we cannot demonstrate at least \$1,100 of benefit from each laptop, this decision may be reasonable. In other cases it may not be feasible to avoid the risks associated with some technologies and we need to consider alternatives to avoidance.

If we decide to reduce a risk, we take an action to reduce either the likelihood or the impact of an event. In our example of laptop computers, we might be able to reduce the rate of laptop theft by investing in locks to make theft of the laptops more difficult. Or we could reduce the impact of having a laptop stolen, perhaps by deploying a full-disk encryption product, so that when we lose laptops to theft, the data on the laptops is not compromised. Because there is also loss associated with the physical loss of a stolen laptop, encryption does not eliminate the risks associated with using laptops, but only reduces it. Most investments in security technologies behave similarly, leaving some residual risk after they are implemented, and understanding the level of residual risk can be as important as understanding the original risk.

If we decide to transfer a risk, we get someone else to accept the risk, usually at a cost to us. Purchasing insurance is one way to do this, as is outsourcing the operation of a particular technology. Transferring risk often reduces the uncertainty of outcomes, but probably requires a cost roughly equal to the risk that we are transferring. So if we can purchase an insurance policy for \$1,000 per year, this premium reflects the average loss that the insurance company expects its customers to experience. Losses above the average amount are reduced at the expense of increasing losses which would have been below the average amount, but we gain a level of predictability by doing this. In the terminology of statistics, we have slightly increased the mean of our loss but greatly decreased the variance of our loss.

The final way to address risks is by doing nothing, or by accepting a risk. In our example of the risk associated with the loss of laptops, if the cost of full-disk encryption products were much higher than they currently are, say \$1,500 per laptop per year, then it would not be worth deploying the technology because the cost of reducing the impact of the risk would exceed the risk itself. In this case it would be reasonable to not encrypt the data on the laptops, and to just accept the risk associated with losing the laptops that we expect to lose. Many organizations are dealing with many risks in this way without fully understanding the implications of their actions; doing nothing is certainly the default way to manage risks, but it may not always be the best way.