- December 17, 2020
- Posted by: Vidhi Shah
- Category: Cybersecurity
We all want to make rational decisions and assess risks as logically as possible. We want to have examined all possible variables, considered their probabilities, understood their impact, and then have made the right decision. This is very rarely possible due to the following reasons:
- We are bad at intuitively understanding probability
We lack an intuitive understanding of probability. The probability of 0.1 seems infinitely greater than 0 to the human brain. Our behaviour does not align with the increased probability. Example – A fatal car crash is a hundred times more probable than an airplane crash, but are we not more afraid of flying?
- We are subject to biases and fall prey to issues like groupthink, authority bias, etc.
There are dozens, if not hundreds of biases that we are susceptible to. These may be subconscious and we are most likely not even aware of them.
- We let emotions like fear and desires cloud our judgement
Excitement may lead us to overestimate our chances of success whereas anxiety may cause us to be very pessimistic about our losses. Emotions are known to hinder clear decision making and can often lead to distorted estimates.
- We get convinced that our decisions are right due to confirmation bias
We may prematurely make an assumption and then seek out evidence to confirm this assumption, instead of finding evidence and then making an estimate.
No matter how hard we try, it is difficult to be free from these obstacles which prevent a hundred percent logical analysis. The lesser that is known about a possible risk, the higher the risk we attribute to it. This gets even more complicated for assessing risks for complex scenarios, as there will be multiple layers and factors involved. The more complex a scenario, the higher the variable components, the more are the probabilities involved and the worse becomes our ability to rationally estimate the risk. A considerable amount of risk assessment is currently done by experts based on their “intuition” and certain metrics that seem almost arbitrary. This may not be the most rationally sound way of risk estimation, especially for more complex scenarios. Hence there is a need for a more objective approach to risk analysis.
What is quantitative risk analysis?
Quantitative Risk Analysis is an objective method of performing risk analysis by calculating a numerical value that conveys the overall risk estimate.
Besides helping us make rational decisions following are some more advantages of a quantitative approach to risk analysis:
- Reduced ambiguity
Most Quantitative approaches use an easily understandable, universal metric – a dollar value or value in terms of time. This greatly reduces ambiguity which may otherwise be caused by other approaches used to convey risk estimates
- Ability to put a number to the risk
Know how much we stand to lose. Quantitative methods generate possible risk value in terms of ALE (Annualised Loss Exposure). It is also easier to justify costs when there is a dollar value associated with the risk. It helps us understand which risk needs what magnitude of control measures and how to focus key resources. It helps the stakeholders plan and draw up mitigation strategies.
- Reduced subjectivity
A very low risk may mean something to one person who does not consider it important to take any steps for mitigating it while it may be something that needs some action to another. It makes it easier to help draw consensus among the different stakeholders.
- Data-driven approach
Certain approaches to Quantitative risk analysis include generating simulations. It considers several possible combinations and cases. All these are considered before finally generating the risk value in dollar amounts. This rich data ensures that the worst and best cases are not missed.
- Brings to attention variables we might have missed – scoping
The quantitative methods compel us to think through several kinds of losses and the associated value which may have been overlooked through other qualitative methods.
- Establishes a confidence level
Having thought through different kinds of losses, attributing loss values to each, and receiving a final value for the risk gives us the confidence not only to plan ahead but also that the mitigation and control measures are sufficient to protect us.
Humans are good at some tasks but there are some things that we are inherently bad at. As outlined above, we do not intuitively grasp complex mathematical concepts, we tend to get biased, we think subjectively and when there are terms like low, medium, high there tends to be ambiguity. All these factors may lead to incorrect estimates which in turn may lead to underestimating or overestimating the risks involved. It can be dangerous to let our risk mitigation plans be left only to these devices. Hence, for crucial projects and systems, it may be worth considering a quantitative approach for analysing the possible risks.