An Approach to Risk Decision Making – a Review

Public expenditure

I decided to write a review of a paper submitted to on the subject of “An Approach to Risk Decision Making” by Curt Dalton. I must however declare an interest in this, in that I happen to report to Curt in my day job (he is global CISO), and that he was kind enough to share drafts with me as he wrote it for feedback. This will of course therefore be a somewhat biased review, although not too much, but I do hope if nothing else it generates conversation around topics and approaches like this. I have a huge respect for Curt, have learnt much from him over the last few years and hope to get a good score in the next performance review!

In essence, this model is designed to help an orgnaisation decide if it is financially viable to invest in security technology/controls/procedures in order to address a given risk. It is not designed to be used across an organisations risk management porogramme, but rather with those handful of risks that can’t be addressed in day to day operations and have to be escalated to senior management to be effectively resolved.  With limited budget and access to that senior leadership, this approach provides support and guidance on what to ‘fix’ and what not to fix.

This scope is a key element of the model; it uses very traditional approaches to monetizing risk versus the more in vogue approach I have reviewed elsewhere in this blog. To that end it uses assigned numerical values to elements of its calculations; this is of course where ‘errors’ may creep in, but in theory an experienced risk manager familiar with their environment should be able to assess this reasonably well.

In summary, the model is as follows:


Figure 2 in the model requires an analysis of controls required to address a risk.


This does of course beg the question, how do you know you have all of the controls required and how do you know you have selected the correct numerical value? Again, the pragmatist in me suggests this is entirely possible with someone who is familiar with the environment and the organisation, but this may of course be more difficult in other situations.

Figure 3 does a similar thing with a similar level of granularity, i.e. defining in nine increments the ease of exploitation of a given risk; where I think there is potentially something missing is that this value applies to ALL of the risks listed in figure 2 rather than individually.


Obviously this would massively increase the complexity of the solution but this is a deliberate approach to ensure simplicity across the model.

These two numbers are then combined with a simple calculation of impact to etsablish a level of monetized risk. Finally, the 80/20 rule (or Pareto’s Principal) is used as a rule of thunmb to define the actual budget that should be spent to mitigate a risk. In the example given therefore a monetized risk of roughly $1.5m USD should be mitigated by spending up to $380k USD and no more. The Pareto Principal can of course be adjusted accoring to your organisations risk appetite, that is, the more risk averse the organisation the more the rule would move from 80/20 to 70/30 or 60/40 etc..

There are a lot of assumptions used in this model, not least the numerical values that may seem to be arbitrarily assigned. However, I believe this can be forgiven for the very simple reason that this is a pragmatic, transparent and easily understood approach; it can be easily transferred into an Excel spreadsheet meaning that some simple modelling can be carried out. I have said before that until the newer approach to risk management has a more easily understood and implentable approach it will not be adopted. This model does.

The other part to this model that I like is that it is not designed to be a cure all, but rather a tool to help organisations decide where to spend money. If the approach is understood then an informed decision can be made within the constraints of that model (or indeed any other model). I believe it is influenced by the ISO27005 approach to risk management which means many risk management folks will be able to grasp and adopt it more easily.

Overall, this is a model that can be adopted quickly and easily by many organisations, and implemented successfully, as long as its basis in assigning numerical values is understood, and calculations are carried out by those in a position to understand their risk profile well. I would strongly recommend you tai a look at the model yourself over at Wired Innovation Insights.

Pros – easily understand, pragmatic, focussed on one business issue, easily implemented.

Cons – relies on assigning ‘arbitrary’ numerical values, doesn’t address granularity of risk and ease of exploiutation.

2012 in review

Blogging can be seen as a very inwardly focussed activity, it is all about me, me, me. I have always tried to maintain a fairly balanced online presence, keeping it professional if a little informal, striving to only blog, or tweet quality rather than quantity. On the whole this has worked for me. The downside to this though has been a slow increase in my online presence (or brand, whatever term works for you) and therefore Twitter followers and blog visits. For example one of the primary reasons for blogging this year has been to “practise” writing about my profession in a way that I don’t get in my place of work and not to gain fans and followers (although that would be a nice by product!).

That said, the automated report that WordPress sends out prompted me to consider what I have achieved over the last year and realise how positive I feel about my online presence. To put it into context here are some very quick (and totally unscientific) stats: In 2011 (when I joined Twitter) I had four blog posts in a self managed blog page, attended one conference (RSA), had less than ten followers and tweeted maybe ten times. I had publicly spoken once, for two minutes, at the Christmas RANT forum. In short, I had no idea what the community had to offer or indeed how to engage with it.

It was at the aforementioned RSA conference that two things happened; firstly I realised that 80% of the presentations I watched were of a quality that I felt I could reproduce. Secondly I met a few folks on the last night that in all honestly changed my perception of the industry and how I could participate in it, namely Brian Honan (@BrianHonan), Kai Roer (@kairoer), Alex Hutton (@alexhutton) and Aaron Barr (@aaronbarr) amongst others. They showed me (unknowingly) how they worked with the community, staying in touch through Twitter, communicating through blogs, articles, podcasts etc.. I have since stayed in touch with Brian and Kai, both of whom I respect greatly and would like to thank for their openness and friendliness to me back in October 2011!

Fast forward to today and my stats are a little better: 26 blogs posts, nearly 500 tweets (not all of them are rubbish either!), 111 followers, six public speaking engagements including one panel and the RSA conference itself, a video blog with the almighty Javvad Malik (@j4vv4d) and contributed to two articles (for Tripwire and (In)Secure magazine). I attended in one capacity or another nearly twenty events/conferences/forums. The best part is that these stats don’t do the experience itself any justice. I have made friends and met many people for whom I have the most deep respect for and who I genuinely like and enjoy their company. I have submitted a joint CFP for a conference with one of them, and hope to continue my relationship with Acumin and the RANT forum (@Acumin & @GemmaPats) who gave me my first big break in public speaking (thank you!). In short, 2012 has been awesome as both a learning experience and a source of fun and enjoyment as regards my chosen profession. The blog stats below are of course modest by most peoples standards, but they are interesting and encouraging to me nonetheless in the context of the above.

I tweeted over the Christmas holidays that my word for 2013 is “growth” both professionally and personally; while I hope that my 2013 “stats” will continue to “grow” more importantly I hope that my new friendships and opportunities to learn in this odd, frustrating, challenging yet ultimately rewarding industry and community continue.

And before you ask, yes, New Year, New Theme for the blog; I’ve grown out of my dark goth and emo phase and now it is time for some colour and class!

Here’s an excerpt:

The new Boeing 787 Dreamliner can carry about 250 passengers. This blog was viewed about 1,200 times in 2012. If it were a Dreamliner, it would take about 5 trips to carry that many people.

Click here to see the complete report.