Tuesday, March 9, 2010

Risk Management: Risk Mitigation

Last week, I started talking about risk management by talking about how it relates to something as mundane as forgetting your car keys. I’m going to stick with that analogy as we discuss how to use risk assessment to understand whether you’re happy with the risk you have or if it’s worth spending some money to mitigate that risk.

Recall that we expressed the risk a lockout poses in dollars (or perhaps a dollar estimate), largely based on the cost of waiting around for a locksmith to let you into your car. Now suppose I offer you a service: I’ll keep a copy of your car key, and at any time of day or night if you lock yourself out of your car I’ll come bring you the spare. That would reduce the vulnerability to zero, and therefore the risk as well. How much would you pay for this service? It depends on your risk – if I charge $1000 a year for this service, you’d be foolish to eliminate a $5 risk (or even a $100 risk) by paying me. If I charge $150, it’d make sense if you have a $200 risk, but not a $5 risk.

Suppose I’ll only bring you the key if you lock yourself out of your car in the daytime. I’m no longer eliminating your risk, I’m merely mitigating it. Because the solution only works half the time, it’s reducing your vulnerability from .5 to .25. That turns a $200 risk into a $100 risk, and a $5 risk into a $2.50 risk. I think you can do the math to figure out how much you’d pay for this service in these cases.

That’s it! Risk management is figuring out what can go wrong, what will happen if it does go wrong, how likely it is to happen, and how well defended you are against it. If you know all that, you know what it makes sense to spend time and money on in the name of safety.
In the financial industry, it gets a lot more complex than that. People who trade options measure the risk of every single thing that can happen to change the value of a given option, and that’s calculus. For most people, what I’ve outlined here can get you through the day.

I’ve kept the example simple, but it’s important to take the time to understand everything that goes into calculating impact. For example, we based the impact of getting locked out of the car based on the charge for a locksmith. Take the time to understand everything that goes into calculating impact. Suppose the locksmith is going to take an hour to get to you? How much is your time worth? If I promise to get to you in fifteen minutes, that might make my service the better deal even if I cost more than the locksmith does. In business, hidden costs like this often lead to security costing more than people expected it to.

What happens if you figure wrong about one of these numbers? You’ll find out about it when the incident costs you more or less than you thought it would, update your risk analysis, and get on with life. But the risk of an incorrect risk analysis is one of the threats you’re thinking about, right?

Where are you already doing risk mitigation? Do run and maintain security software on your computer? If not, did you decide you’d rather live with the risk of infection, or that the cost of recovery is cheaper than the cost in time and money on an anti-virus package? Would you rethink that if I told you that you could have an anti-virus package for free? Does thinking about and understanding the risks you face in live, and knowing how you’ll handle them ease your mind? Let me know!