The Many Questions of Risk: Toward a Triplet of Triplets
Written by Will McGill on January 6th, 2010Note: Article updated on 17 Jan 2010
In 1981, Kaplan and Garrick published a paper entitled “On the Quantitative Definition of Risk” that defined risk as the set of all ordered triplets comprised of answers to the following triplet of questions (Kaplan and Garrick 1981):
- What can go wrong?
- How likely is it to go wrong?
- What are the consequences?
These three questions set the stage for what most risk professionals consider to be the fundamental questions of risk assessment. In recent years, more questions have been suggested, including:
- How much uncertainty is present in the analysis? (Lowder 2008)
- Over what time frame? (Haimes 2009)
- Are these risks tolerable?
In 1991, Professor Yacov Haimes offered a second set of three questions focused on the practice of risk management (Haimes 1991):
- What can be done?
- What options are available and what are the benefits and costs of each?
- What impact do these options have on future options?
Mr. Bob Ross offered a few more interesting risk questions, including several for establishing the risk context (Ross 2009):
- What are my risk management responsibilities?
- What outcomes and objectives am I expected to achieve?
- How are risks perceived by those to whom I am answerable?
Ross also offered a few more for risk management (labeled risk response or more generally risk treatment):
- What could I do about it? (the “options” part of the second Haimes risk management question)
- What should I do about it?
- What will I do about it?
And a few more on risk management effectiveness:
- How well is my chosen course of action working?
- Has anything changed that requires altering my existing risk management measures?
- Are there current trends and/or potential future developments that could require altering my existing risk management measures?
At a high level, Dr. Tony Cox summarizes all of risk analysis in terms of four high-level questions as follows (Cox 2009):
- How bad is it? (Risk Assessment)
- What to say about it? (Risk Communication)
- What to do about it? (Risk Management)
- Who to blame for it? (Risk Attribution)
Seeing how the ultimate goal of studying risk in general is to communicate risk knowledge to people that can then use it to make better (i.e., risk informed or risk supported) decisions. Risk communication, then, must consider the following lower-level questions that would help analysts decide on what to say about risk (Morgan et al. 2002; Apgar 2006):
- What does the intended recipient think or know?
- What does the recipient need to know?
- How should it be told?
Mr. Bob Ross offered the following additional questions for risk communication:
- Between whom does it need to be communicated?
- How can the necessary risk information be most effectively communicated?
Of course, there is always the risk that a communication goes south, thus we should also entertain the questions:
- How likely is it that the communication will work?
- How bad would it be if it doesn’t?
If you look carefully at these questions, you might find some overlap among them and also find that they may be interpreted in different ways by different people. In fact, we could consolidate all of these questions into a triplet of risk analysis triplets. These are summarized as follows. Given a clearly and precisely specified situational context (e.g., security context), risk analysis centers on the following nine broad questions:
Risk Assessment Triplet
- What can happen? Answer: scenarios characterized by the pairing of cause and outcome, where associated with outcome is the time frame
- How likely is it? Answer: product of probability of cause and probability of outcome given cause; uncertainy in the answers is captured using imprecise probabilities
- How bad would it be? Answer: severity of the cause/outcome pair
Risk Communication Triplet
- What does the recipient presently think, know and perceive? Answer: the recipient’s mental model and lens for interpreting and integrating new information
- What does the recipient need to know? Answer: key messages to improve the recipient’s understanding
- How should it be told? Answer: in what form must the information be communicated and who should communicate it, this includes all risks associated with communications
Risk Negotiation Triplet*
- What can be done? Answer: the types of changes that can be made in the time frame of interest
- What options are available? Answer: Answer: real feasible options that are available with assessed benefits and costs of each, where benefits and costs include impact on future options, and all assessments include uncertainty
- What should be done? Answer: compares benefits, costs and risks of each option in addition to other factors with a variety of non risk-related alternatives including the “do-nothing” option
*Note: In this context, Risk Negotiation refers to an organization’s discussions and deliberations around a variety of risk treatments relative to the organization’s attitude and tolerance for risk.
Risk management revisits this triplet of triplets over and over again in perpetuity. With time, we learn how well our choices fared through continuous analysis and reanalysis of our systems and their environments. With every action we take, the systems we protect respond with new or modified risks with updated probabilities and severities, and new options and considerations emerge while others become infeasible or irrelevant. And of course, with time and change comes new uncertainties and misunderstandings, both of which require the dedicated attention of risk professionals to study and resolve.
References
Apgar, D. (2006). Risk Intelligence: How to Manage What You Don’t Know. Harvard Business School Press (ISBN 1591399548).
Coles-Kemp, L. (2009). “The Effect of Organisational Structure and Culture on Information Security Risk Processes.” Risk Research Symposium (link here).
Cox, L. A. (2009). “Traditional and Current Risk Analysis.” Presented at the MORS 2009 Workshop, April 2009 (link here).
Haimes, Y. Y. (1991). “Total Risk Management.” Risk Analysis, Vol. 11, No. 2, pp. 169-171 (doi link).
Haimes, Y. Y. (2009). “On the Complex Definition of Risk: A Systems-Based Approach.” Risk Analysis, Vol. 29, No. 12, pp. 1647-1654 (doi link).
Kaplan, S. and Garrick, B. J. (1981). “On the Quantitative Definition of Risk.” Risk Analysis, Vol. 1, No. 1, pp. 11-27 (doi link).
Lowder, J. (2008). “The Difference Between Quantitative and Qualitative Risk Analysis and Why it Matters (Part 1).” BlogInfoSec.org (link here).
Morgan, M. G., Fischhoff, B., Bostrom, A. and Atman, C. (2002). Risk Communication: A Mental Models Approach. Cambridge University Press (ISBN 0521002567).
Ross, R. G. (2009). “Total Risk Management Revisited.” Working Paper.
8
PM
Thoughts on Likelihood.
The Risk Assessment Triplet is fine for safety risk and for lower-level or frequent security risks – ones for which the likelihood can be measured or estimated with reasonable certainty. However, the extraordinary uncertainties associated with the likelihood of an extreme security event like a large-scale radiological or biological attack are a problem. I submit that even the order of magnitude of the attack likelihood is very uncertain, and that there is almost complete overlap in the likelihood distributions between these two proposed attacks.
It is precisely the uncertainty in this likelihood that makes it nearly impossible to make a definitive prioritization of risk mitigation investments for attacks like this in the security arena. It is hard to have enough confidence in the risk “computation” to be able to say with any certainty which risk is higher using this triplet. And to make matters worse, the likelihood of the attack event is strongly dependent on things that are strongly dependent on external factors (including future world-wide geopolitical events) which are likely unknowable. And even if we did know either the likelihood of attack or the factors that influence that likelihood today, they would likely be different tomorrow. And then different again next week once a different terrorist or adversary group sprang up. Yet we are making years-long security investments on the basis of uncertain information that changes almost daily. This is not a robust investment strategy.
So, given the extreme uncertainties in likelihood, plus the fact that some of these uncertainties may be inherently unpredictable, I believe that the risk assessment triplet is factually true but almost useless to real-world decision makers who must allocate limited resources to defend against disparate classes of high-end attacks. And I believe that moving to imprecise probabilities or any other representation of likelihood will do a better job of capturing these uncertainties but provide little additional value to the decision maker. Yes, these methods do a better job of capturing the existing uncertainties. But the uncertainties are fundamental to the underlying problem and the available data, so a more accurate representation won’t help much in the decision process.
I believe that the risk assessment triplet must be augmented in order to be meaningful for high-end attacks that are planned by rational and malevolent human beings who actively seek out plausible attacks using project planning and management methods. The triplet should not examine “How likely is it?” but rather “How difficult is it?” For example, a specific attack scenario is extraordinarily unlikely if someone can accomplish similar consequences using a much easier attack, or far greater consequences using an attack of comparable difficulty. Attacks that represent the easiest way to obtain a specific set of consequences are much more likely, although I cannot assign a probability to such an attack with enough certainty to be useful in a mathematically valid risk ranking process. Ranking or clustering scenarios according to difficulty for achieving comparable consequences provides a straightforward method to enable a decision maker to make defensible investment decisions by applying the simple principle, “I want to take away the adversary’s easiest attacks first. I can leave the harder attacks until later.”
19
PM
I don’t dispute that there are risks for which it is very difficult to develop meaningful numerical answers to the likelihood question, but I would submit that the fault lies not in the question but rather in our inability to answer it. The question is the right question, whether or not we can answer it. In the absence of an ability to generate direct answers to the likelihood question we are reduced to looking for surrogate questions and/or proxy data. Gregg Wyss’ “How difficult is it?” is really nothing more than a surrogate question. Further, it is a surrogate question with some inherent problems of its own. For one thing, if there are numerous ways in which a given attack could be carried out, simply closing off one of the execution avenues, whether or not it is the easiest path available, may not effectively lower the overall risk associated with that type of attack. For another, the easiest attacks are probably not the ones we need to be most worried about. The U.S. is a great nation. We have taken far harder blows in the past than what we suffered on 9/11 and overcome them. Garden variety terrorism, while abhorrent, does not constitute an existential threat to the survival of the nation. BIG terrorism, on the other hand, may constitute such a risk. By BIG terrorism, I mean true Weapons of Mass Destruction terrorism. The WMD that could constitute an existential threat are biological and nuclear. The other so-called WMD, chemical and radiological, are more properly thought of as “weapons of mass disruption.” Again, these are not something to be desired. But neither are they something that would bring us to our knees – unless we go there through our own misguided reaction to such attacks.
There are bigger problems in traditional risk management and risk analysis as they are being misapplied to homeland security. One is the tendency of certain elements of the larger national homeland security enterprise to think that our strategic risk is nothing more than the sum of our tactical risks. Another is the traditional cost-benefit analytic approach in which cause and effect pairs are examined in isolation, with an implicit and erroneous assumption that all other factors will remain equal. Risk treatments that appear to yield positive cost-benefit tradeoffs when examined in isolation frequently yield very different results when the chosen risk treatment is applied to a cause and effect pair in which the members are elements in a sensitive complex-adaptive system. This is particularly true when one is dealing with an intelligent, strategically-driven adaptive adversary.
Returning to the issue of the questions to be asked, my comments above don’t mean that we need different questions. Rather, it means we need to put our thinking caps on and develop better ways to answer the questions we already have.