Risk in our field is most often defined as risk = threat x vulnerability x consequence. And while it is a formula that is easy to define it is very difficult to give actual values to the variables. How do we quantitatively assign “real” values to the concepts of threat, vulnerability and consequence.

Of the three, consequence may be the most approachable. Consequence can to some degree be quantified in the almost universal units of dollars, with some exceptions. The consequence of an interruption in production of a plant or facility can be quantified as the loss in revenue that the product would have generated + the cost of fixing the problem + the costs of having idle workers at the facility + other normal operational expenses.

Most companies (asset owners) have already performed some of the consequence calculations and have them availabale in the form Recovery Time Objective (RTO) or Business Impact Anaylses (BIA) which define loss for a given time against a given system. RTO being measured in minutes/hours/days.

As an example, an RTO could be calculated using the following inputs: Combine the total revenue loss and cost exposure estimates and use the matrix below to determine the corresponding RTO classification.

Financial Impact / RTO Classification Matrix:

  • RTO 1     Daily Revenue and Cost Exposure is $10 million or greater
  • RTO 2    Daily Revenue and Cost Exposure is between $5 to $9.9 million
  • RTO 3    Daily Revenue and Cost Exposure is between $3.3 to $4.9 million
  • RTO 7    Daily Revenue and Cost Exposure is between $1.0 to $3.2 million
  • RTO 30    Daily Revenue and Cost Exposure is less than $1.0 million

This is then cross-referenced with customer impact tables that cover:

  • High Revenue Customer Risk Table – This table focuses on business processes / services that support customers providing substantial revenue to the organization such as business, corporate and institutional customers.
  • Blended Customer & Revenue Risk Table – This table focuses both on volume of customers impacted and revenue generated by the business process / service.  This table should be used in conjunction with Risk Table to confirm and determine the RTO classification most appropriate for the line of business.

The above can be combined with other inputs which could include regulatory impacts, loss of life, reputation etc.  Each category getting a rating, that is then used to calucate the final RTO.

Consequence multiplies exponentially  when the effects of an event impinges upon environment, human safety and human life. The Bhopal disaster, while not a “cyber” incident, cost Union Carbide over $470 million and most likely will have further mitigation costs for the environmental remediation. And while 3,800 people died immediately from the toxic cloud, it is estimated that 20,000 died from the effects of the release. When calculating risk, what value does one assign to a human life?

The other two values, threat and vulnerability can be viewed as alpha values representing probability.

For vulnerability, given the state of current control systems, there is a probability of 1, that if an attacker is able to penetrate his/her way into the control system that he can do something bad. Knowing this, the probability can be reduced by defense in depth measures that make entry into the control system difficult, and in the best scenario nigh on impossible. The probability of intrusion into a control system through proper perimeter control, system monitoring, other technological solutions, policies & procedures, training of employees, and other mitigations can start to approach 0, but as there are unknowns in any system it can never be viewed as a probability of 0.

Threat too can be viewed as an alpha value, the probability of an organization being targeted for an attack. It is important to understand the makeup of the threat. From hostile nations states, to the gamut of; terrorists, hacker teams, recreational hackers, script kiddies, insider threats, and malicious code agents. Just because an organization is not being directly targeted by an aggressor does not mean that there is no threat. The internet and our networked environments are replete with worms, trojans, and viruses that are automated and will wander into any network that they can leverage themselves into. Threat then must be viewed as a probability approaching 1, and the bigger and more well known an organization, the closer to a probability of 1.

As consequence then becomes the driving factor in the equation it is important to truly understand the consequence of a “worst case” scenario in a facility. This case must be viewed as the consequence of an event if the safety systems fail. Assigning a dollar amount to consequence then provides a reference point against which arguments can be made for further expenditures in safety, and both physical and cyber security.