Analog Risk Assessment method, ARA [UPDATED x2]


A multi-part blog piece by Brad Bemis suggesting the use of a simplified/standardized risk analysis process for the purposes of PCI-DSS led me to look into a quick/rough-cut information security risk assessment method based around just ten yes/no questions, that Brad recommends. The method's inventor, Ben Sapiro, calls it "Binary Risk Analysis" [BRA] to emphasize those yes/no choices, implying a degree of simplicity and objectivity to the method (although some have questioned that: forcing users to choose in this manner merely causes them to collapse or shoe-horn each of their subjective opinions into one of two boxes, which does not make them any less subjective, and if anything makes them more constrained). The ten questions in BRA lead the user through the process of evaluating the frequency and severity (albeit called "threat likelihood" and "threat impact"), key factors that are commonly used to evaluate risks.

It occurred to me that it would be even quicker and easier, and in fact no less accurate, for a competent person to assess and plot the probability and impact elements of relevant incident scenarios directly.   

Since Ben's method is "binary", I've cheekily called mine "Analog Risk Assessment" ARA.

I'm not saying analog is inherently better or worse than binary, just different. It happens to suit my way of thinking and, judging by the popularity of this blog item, others are similarly inspired. I find the colorful graphic (a heatmap metric) an excellent way to prompt consideration and discussion around risks in workshops etc., to stimulate creative thought and summarize the findings for management decisions, naturally focusing attention on risks in the red zone.

Whereas I've labeled the axes "Likelihood" and "Severity", you may prefer similar terms such as "Probability" and "Consequences" or "Impacts".  

Note that the axes are scaled from 'Low' to 'High', relative terms. The lack of precision is not a problem - in fact, as I mostly use ARA for risk evaluation and security awareness purposes, the simplicity is actually an advantage, one less distraction from the main business of thinking about and discussing the risks. There's nothing to stop you putting values against the scales (specific numbers, ranges or categories) if you are so inclined ... but don't forget that we're talking about risk and inherent uncertainties. Personally, I'm much more comfortable to assert that risk A is 'much more likely' than risk B than I am to estimate actual probabilities. 

A nice feature of ARA is that it can be applied to most if not all kinds of risk. I've developed ARA graphics for most of the 60-odd information risk and security topics in our awareness portfolio, for starters. I see no reason why it couldn't be used for financial risks, political risks, market risks, health-and-safety risks, strategic risks, compliance risks and so on. You could even compare and contrast different types of risk on the same basis on the same graphic, giving a sense of perspective across markedly different areas, with obvious value in governance, enterprise risk management and audit planning.   

In the same spirit as Ben, I'm very happy for anyone to use ARA or develop it further under a Creative Commons license:

Creative Commons License
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.


Enjoy!

PS  The heatmap is also known as a Probability Impact Graphic, a PIG. Oh and heatmap.