Understanding Exposure: Value at risk vs observation & judgement
There’s a school of thought that the concept of value at risk or “VaR” can be applied to all categories of risks. I’m not convinced – value at risk is best applied to financial risks where the outcome can be easily expressed and quantified in numbers. It is the de facto approach adopted by most financial institutions and their regulators VaR is based on understanding scale and frequency of price variations and every financial instrument has a price history from which average and maximum price variations can be understood and used to decide on how much exposure management (in this case, hedging strategies) may be required. An organisation can therefore make decisions on how much it is prepared to spend on hedging strategies in order to mitigate potential losses. This is not the case, however, with operational risks – because exposure and impacts can have primary outcomes that are not financial. For instance, how many employees using easily guessable passwords can be tolerated? How many network vulnerabilities can be tolerated? how many dishonest employees will you put up with?. Although there may well be financial impacts associated with operational risks, there is no direct numerical correlation to the threat manifesting itself. For this reason, applying VaR approaches to operational risks isn’t practical, is unlikely to improve the organisations understanding and therefore its capability to manage, of its intrinsic operational risk exposure.
Operational risks are best assessed on observations and judgments, by considering the conditions in which exposure can occur and knowledge about the factors that really matter in terms of mitigation. Let’s take an example from information security as an example. It’s not possible to apply VaR to failures in information security. For instance, what “asset” do we want to price? Our data, customer goodwill, our reputation, intellectual property, litigation costs, opportunity costs – the list goes on and on. As regards RoI of mitigation approaches the best approach to information security threats is to understand the root causes of threats and make judgements on the best ways to counter the threat based on measures that we know to be effective – and affordable. An example might be the best way to demonstrate this principle: Let’s take a look at the concept of an organisations external cyber-attack surface - the number of possible ways an attacker can get into your IT infrastructure. The diagram below gives an example of some of threats to the organisations technical perimeter being breached.
The organisations exposure can be understood by the existence and relative “health” of measures in place to manage these threats. So, for instance let’s say we could put a dashboard together that showed:
1. The measures we have in place to protect our perimeter
2. The number of identified flaws present in the mitigation measure In the context of this diagram a “flaw” could be
Unpatched vulnerabilities that are currently been exploited by cyber criminals
DNS security errors at the domain or sub-domain level
Low levels of confidence that end-users can recognise a phishing or social engineering attack
Even without a “hard” number to indicate the level of loss, it's possible to obtain clear picture of whether threat mitigation initiatives are working effectively and which areas need attention. In this instance, exposure increases with the number and nature of "flaws" within threat mitigations.
VaR techniques have their place but are not ubiquitous. Good risk management stems from a sound understanding of threats and exposure. As a general rule, use the approach that provides the the most comprehensive understanding of exposure.