In my previous post, I investigated the various definitions of Information Security Risk. Here I look at the first consideration for an information security risk analyst, how likely is the risk event to occur? What is it’s likelihood?
Likelihood is commonly used in English as a synonym for probability, and as a term in risk, it is rarely used in a formal manner. There is a technical definition of a ‘likelihood function’ in probability which is the probability that a random sample is truly representative of the population.
The international standard for Risk Management ISO 31000 defines likelihood as:
“the chance of something happening.”
This definition is reflected in the ISO 27005 standard for Information Security Risk Management.
The Oxford English Dictionary has various definitions for likelihood the most applicable being
“The quality or fact of being likely or probable; probability; an instance of this.”
Probability itself is a well-defined term in both risk management a probability theory. A helpful succinct definition can be found in David Vose’s Risk Analysis a Quantitative Guide which states:
“Probability is a numerical measurement of the likelihood of an outcome of some random process.”
There are differences in how risk analysts use the term probability. These tend to split between frequentists and subjectivists.
Frequentists define the probability of an event as the frequency with which it occurs in a long sequence of opportunities to occur. The belief is that there is an objectively ‘real’ probability that can be discovered by taking measurements over time.
Subjectivists believe that probability the degree of belief a person has that an event will occur given the information available to that person and that the persons belief will approach the objective ‘real’ probability as more data is made available but will always be subject to bias. Subjectivists will use probabilities based on little information and will refine their beliefs as more information becomes available. The ‘likelihood function’ I mentioned earlier is part of the Bayesian approach to subjectivist probability where the information that informs the beliefs of the analyst is assessed for how likely it represents the population it is drawn from.
However, when we step into the world of security risk methodologies there is a marked lack of usable data to support the frequentist approach. A topic we will touch on in later posts is that the population data we do have from various industry surveys may be non-ergodic, in that the population data may not be representative of any individual member of the population.
An attempt to sidestep this lack of usable data common to many security risk methodologies is to decompose likelihood or probability into estimable components such a threat or vulnerability, the product of which is then used to estimate likelihood.
The NIST Special Publication 800-30 Guide for Conducting Risk Assessments states that likelihood of occurrence is:
“the probability that a given threat is capable of exploiting a given vulnerability or a set of vulnerabilities.”
The Cyber Security Body of Knowledge (CyBok) Risk Management and Governance Knowledge Area states that likelihood is:
“A measure capturing the degree of possibility that a threat will exploit a vulnerability, and therefore produce an undesirable outcome.”
OpenFAIR describes a Loss Event Frequency (LEF) consisting of the product of vulnerability and threat event capability (OpenFair decomposes this further into a more detailed model).
The frequency approach to likelihood tends to assume that over a long enough period of analysis, the likelihood of a risk event occurring is 100% (i.e. once every ten years). Such methodologies then calculate the probability of occurrence based on the timeframe under analysis (i.e. 100% every ten years is a 10% chance of occurrent in a year).
UK Government and NATO standard CRAMM v5.1 decomposes the likelihood component of the risk assessment into a product of the level of threat that is a measure of the likelihood of an attack or incident occurring and the level of vulnerability that is the extent to which the assets are vulnerable to the identified threat.
Each methodology has it’s own specific approach for combining that and vulnerability and while the broad concepts are common the specific details vary widely.
Likelihood for Information Security Risk can be summarised as
“The probability of a security risk event occurring during a defined period.”
This definition may be further enhanced by decomposing likelihood into a product of threat and vulnerability, but I will describe these in a future post.
Nice piece Phil. I like the distinction you make between objective and subjective likelihood. I hadn’t thought about it in that way.
Can you recommend any papers on the application of Bayesian theory to cyber security risk management?