The fourth lecture of my SRA 311 (Risk Management: Assessment and Mitigation) class was by far my favorite this semester.  The lecture topic was “The Six Questions of Risk,” and centered on (1) the three risk assessment questions posed by Dr. Stan Kaplan and Dr. B. John Garrick in their 1981 research paper “On the Quantitative Definition of Risk” (Risk Analysis, Vol. 1, No. 1, pp. 11-27, doi: 10.1111/j.1539-6924.1981.tb01350.x), and (2) the three risk management questions offered by Professor Yacov Haimes (UVA) in his 1991 editorial “Total Risk Management” (Risk Analysis, Vol. 11, No. 2, pp. 169-171, doi: 10.1111/j.1539-6924.1991.tb00589.x).  These “six questions” are as follows (in slightly revised form relative to what I presented in class):

1. What can happen?
2. How likely is it to happen?
3. What are the consequences if it does?
4. What can be done?
5. What options are available and what are their benefits, costs, and risks?
6. What are the impacts of current management decisions on future options?

The first three questions define the the scope of risk assessment and the second three questions bound the scope of risk management.  In general, risk analysis should focus only on answering these questions, which as a whole is often a very difficult and costly task in terms of time and analytic resources.  There is a seventh question (or perhaps a few more than that) that is risk-relevant but not included in the list of questions above.  That question is “are the risks acceptable?,” a legitimate inquiry that would come up somewhere between questions 3 and 5 above.  In order for a risk analyst to answer this question, he or she must impose subjective value judgments and preferences on behalf of their client.  As discussed in one of the articles from my previous lecture 3 (the one by Pate-Cornell), risk analysts are, not paid to pass judgment on the risks and options for risk reduction; rather, risk analysts are paid to be as objective about the nature of a particular problem and all its uncertainties as possible without expressing preference.  Nor do risk analysts seek to prescribe decisions (just like the way intelligence analysis should not prescribe decisions).  Decision analysts, on the other hand, take risk analysis the next step by characterizing decision maker preferences in attempt to identify the optimal option to a given problem.  Perhaps an individual wearing the hats of both risk and decision analyst might add this seventh question to the mix; but since the focus of my course is squarely on risk analysis, it does not factor into the scope of our analyses.

To begin answering the six questions of risk, one has to establish a security context (lecture 2) and clearly define the scope of the analysis (lecture 3).  Prior to introducing the six questions of risk I thoroughly reviewed the techniques for these items discussed in the previous two lectures and spent 30-minutes conducting group exercises where students had to articulate the scope of a pandemic-flu risk assessment from multiple stakeholder perspectives (e.g., CDC, pizza shop, parent, Penn State president, bus driver). (this was a good exercise, but I found that I could have perhaps been a bit more organized in its administration).

If one examines the first three questions, one could express the concept of risk (R) as the set of ordered triplets of the form:

R = <s,p,c>

where R is risk, s is the scenario (i.e., one answer to the first question), p is the probability of the scenario (i.e., answer to the second question), and c is the consequences given the scenario were to occur (i.e., asnwer to the third question).  According to this “classical risk triplet,” the scenario articulates a sequence of events from cause to some end state, the probability expresses the quantitative likeliness of this scenario occurring all things considered, and the consequence expresses the valuation of direct and indirect consequences associated with this end state (which may also be uncertain).  For example, a scenario might be “explosive attack against Building 1 that causes major structural damage.”  The probability, then, expresses the likeliness of this scenario considering the likeliness of the initiating event, quality of the explosive material and packaging, position of detonation, and the fragility of the target.  The consequence places value on the result of damage, to include lost property, number of individuals injured or killed, business disruption, and so on.

NOTE: regardless of whether numbers are used, the concept of the risk triplet still holds.  The key difference is that the probability will be couched in terms of the more generic notion of likeliness using phrases such as “Words of Estimative Probability” (WEPs) arrived at through reason and judgment, and consequence will be expressed in terms of outcome narratives (also see here and here for more information on WEPs.  Of course, these descriptions can later be converted to numbers as needed, but in the end the numbers are less useful than the knowledge used to generate them).

A more modern take on the “classical” risk triplet above (taken from my dissertation) is what I call the “modified” risk triplet (using slightly revised notation from my lecture):

R = <e,p,o>

which follows from the revised set of questions:

1. What initiating events are plausible? (e)
2. What outcomes are of concern? (o)
3. How likely are the different combinations of event and outcome? (p)

Regardless of whether one looks at the “classical” or “modified” triplet, risk, as the set of all ordered triples, the above quantitative definition suggests that risk is “simply” the likeliness of alternative outcomes in light of a full complement of initiating events.  If numbers are used, likeliness then takes the form of a probability distribution over the space of mutually exclusive, collectively exhaustive outcomes.  This is consistent with the working definition of risk offered in lecture 2: risk is the uncertainty about future events of interest (though admittedly the working definition includes more than simply likeliness expressed over a space of articulated outcomes).

Let’s return to the “modified” triplet.  Leveraging concepts of joint probability of two events expressed as the probability of one event times the condition probability of the other, the probabilty term in this expression in this expression can be expressed as follows:

Pr(e,o) = Pr(e)Pr(o|e)

where the notation Pr(e) and Pr(o|e) reads “probability of (initiating event) occurring” and “probability of (outcome) given the occurrence of (initiating event),” respectively.  The first term Pr(e) is the probability that a specified initiating event will occur (over some time span), and the second term Pr(o|e) is the vulnerability to a specified outcome given the occurrence of a specified initiating event.  Separate from its quantitative implications, this expression pretty much articulate the requisite phases of a risk assessment:

1. Identify a full suite of plausible initiating events (ei), striving for exhaustiveness to the maximum extent possible (which may require explicit assumptions to bound the scope).  This phase might be called “initiating event identification.”
2. Identify a full suite of plausible outcomes of concern (oj), again striving for exhaustiveness to the maximum extent possible (which may require explicitly assumptions to bound the scope).  This phase might be called “consequence assessment,” but would be of a different character.
3. Assess the likeliness (or probability if you so desire) of each initiating event Pr(ei) using all available knowledge and information.  This phase might be called “event likeliness assessment.”
4. Assess the likeliness of each outcome presuming the occurrence of each initiating event Pr(oj|ei) using all available knowledge and information.  This phase might be called “vulnerability assessment” or “outcome likeliness assessment.”

Now what is nice about this development?  For starters, the expression for risk and the process for its assessment has been derived from first principles (bottom-up) rather than from someone’s ideas on how to map their perceptions on what security risk analysis is to a mathematical formula (often arithmetic or logical) that seems right (top-down).  (I suspect that many of the “formulas” for risk proposed or in current use actually were arrived at via top-down thinking, which is perhaps the reason why so many people find it easy to challenge their mathematical integrity).  Second, regardless of whether one uses numbers to express likeliness, the expression offer guidance on how to clearly think through a risk analysis problem.  It is true the devil is in the details, but in the end the four steps above will lead to knowledge that enables higher confidence statements about risk relative to those generated through other ad hoc analytic approaches.

The four items above – initiating event, outcomes of concern, event likeliness, and vulnerability – will each be addressed in turn over the course of the next four lectures (two weeks).  Fortunately for my students, I intend to address these topics in a manner that assumes the minimal amount of background knowledge in set theory and probability theory.  But that doesn’t mean my students are exempt from knowing this material; my job is to ensure that they do by the time they finish this course. (Note: Issues centered on the remaining three questions for risk management will begin in part III of the course, or after lecture 20).

Send article as PDF to