I've seen a visual representation attempting to explain Risk; Risk is a combination of probability and impact of a vulnerability being exploited. In theory, this visualization is great! But does it translate into practice?
In this visualization, with some assumption, we can gather the following:
- Goal – stay safe while trying to get to the other side of the picture
- Vulnerability – a hazardous pit separates the person from their Goa
- Probability – likelihood that the person falls into the pi
- Impact – possible injury from falling in the pit
The Risk:High Probability/Low Impact suggests that the person will most likely touch the bottom of the pit (because it is a wide pit and difficult to cross), but they will NOT suffer much if any, impact (because the pit is very shallow).Low Probability/Low Impact suggests that the person will most likely NOT touch the bottom of the pit (because it is a narrow pit and easy to cross), and they will NOT suffer much if any, impact (because the pit is very shallow).Low Probability/High Impact suggests that the person will most likely NOT touch the bottom of the pit (because it is a narrow pit and easy to cross), but they could suffer quite a bit of impact if they were to fall in (because the pit is very deep...and possibly contain death spikes).High Probability/High Impact suggests that the person will most likely touch the bottom of the pit (because it is a wide pit and difficult to cross), and they could suffer quite a bit of impact if they were to fall in (because the pit is very deep...and possibly contain death spikes).The Issue:Now, while the impact is fairly straightforward and easier to comprehend (fall in a deep pit with death spikes...I doubt you’d be a happy camper), the probability is a lot more complicated and subjective than this visualization may have you believe.The probability of an event occurring is dependent on variables. For example, the probability of falling into a pit that is 20ft wide is a lot higher for me, who most likely can't jump that far (I haven't tried, but I doubt I could), but the probability of Mike Powell falling in a pit that is 20ft wide decreases quite a bit. Why? Because Mike Powell is an American Olympian that, as of the time of me writing this, holds the world record for the long jump at 29ft 4.25 in. One could argue that if the person in this visualization were Powell, he could be facing a Low Probability/High Impact Risk. Again, why? Because of the variable of Capability.That's right! This visualization does not show the Capability variable that is often forgotten. Just because a vulnerability exists and can be exploited does not mean that every actor CAN.Consider this overly simplified scenario:
- Goal – maintain the confidentiality of bank account information stored on a system
- Vulnerability – unauthorized access to the system containing the bank account information
- Probability – likelihood that a Threat Actor gains unauthorized access to the system
- Impact – possible fraudulent activity on bank accounts
Also, consider that there are two independent Threat Actors (TA1 and TA2).
- TA1 has had some part-time work at IT business offering data recovery or the ability to get access to computers that users have forgotten their password. Heavily relies on open source tools and scripts. Looking for more income possibilities
- TA2 is an information security professional with many years of experience conducting penetration tests. Skilled in the use of reconnaissance, social engineering, scripting, cracking., but recently was fired and no longer has a source of income.
The Risk present when TA1 is involved:Low Probability/High Impact could be a fair assumption because TA1 most likely does NOT have the CAPABILITY to gain access to the Target (because the open source tools and scripts will not find a vulnerability to exploit), but TA1 could cause quite a bit of impact (because the access to the workstation would mean access to bank account information that could be used for fraud).The Risk present when TA2 is involved:High Probability/High Impact could be a fair assumption because TA2 most likely DOES have the CAPABILITY to gain access to the Target (because their skills go beyond open source tools and scripts), and TA2 could cause quite a bit of impact (because the access to the workstation would mean access to bank account information that could be used for fraud).We now have one Risk but two classifications, but how can that be? Because, when it comes to classifying and prioritizing Risks, Probability is imprecise.
Does Probability Translate into Practice?
I am no statistician. I do not have the answer for the best way to calculate Risk, let alone the Probability what goes into calculating Risk. What I do have is the opinion that precision should not be the goal of measuring Risk or Risk Prioritization. All Risks present some form of positive/negative outcome ratio, and determining which risks are good and which are bad, is subjective to the business and the scenario.Every business has the goal to reach the other side of the picture safely, but what every business must ask themselves is, why do they want to get there? Is the Risk worth the Reward? Again, subjective. What is the Reward? A pot of gold worth billions of dollars? Or a chocolate cake just waiting to be eaten?In a perfect world, Probability does translate into practice for calculating Risk, but we don’t live in a perfect world. In my opinion, probability does not translate into practice. Not accurately. It’s a personal/business decision that must be made on how to determine Probability.Keep that in mind when looking at the visualization linked above. I look at the Risk on the bottom and think definite High Probability/High Impact and pass. I’d rather not be impaled by death spikes. But Mike Powell, I bet you he’d look at that and think, “that’s not too hard to get across.”