If everything that's out there is wrong, then what is 'right' in your view. Is there a methodology at all. what pros and cons does the spiderman model have ?
So you're saying that prioritizing the high risk, high probability situations is a hit to assets and funds? So instead prioritize what? High risk, low probability? Low risk, high probability? Yeah right, that makes sense.
Why does it matter that the high risk squares are only 36% off the area? If something has a high probability of a high impact, then that’s a risk which needs to be addressed. The actual problem, as far as I can see it, is that the scales are vague - one person’s “high probability” is interpreted by another person as “medium”. Another issue is that companies I’ve worked with have tended to treat the scales as linear or multiples of two. This is just completely inconsistent with other methods for calculating and assessing risk (eg LoPA studies for SIL assessment or lightning risk calcs to IEC 62305) which all work with exponential scales and factors of ten. However, it is possible to set descriptions for likelihood and impact (like you recommended in one of your other videos) which make people think in terms of order of magnitude, so they can then do a rough assessment with a risk matrix which will be consistent with later, more detailed, quantified assessments. I’ve developed such risk matrices with a few clients in the sectors I work in.
So am I right in saying that not only should you prioritise but you should also understand the variables relative to one another? For example, 2 risks, both of equal impact, 1 is twice as likley to occur but costs 3 times as much to mitigate, therefore the other takes priority.
Number will always be easier, faster to consume and depict a more accurate measurement than words. too much variation in speech, culture, comprehension and context when it comes to word pictures
Well, nice presentation! Yes agree, assigning value of each matrix could be wrong. But the purpose of risk matrix is simply just mapping your whole risk of your total assets, not for making decision. I like there you said MOST, because not all risk assessment doing it, especially quantitative risk assessment. Decision making should be based on quantitative risk value, not by simple risk matrix. Again, risk matrix just the way to present distribution of your risk value.
I have only been in security for 7 years, but can call bullsh*t on your argument. Just because the High Impact squares are more in number does not mean that you will end up putting more risk rating in those categories. You assess the impact and likelihood of each vulnerability being exploited and you come up with a rating, that is it. This way, they are all relative to each other. Ideally you will want to do this with multiple people and representatives from the groups that manage the associated assets. If you want more granularity, just increase the scale to a 7X7 or 10X10.
Not sure of what your "point" is there Shane. Can you mathematically or socially prove your point? "That is it" is typical of $10/hr employees, and point in case of the danger of what has become common practice. "A camel is a horse designed by a committee"
I understand what you've done, but not why you've done it. OK, it's disproportionate. But it still provides a way to prioritise risk, where the cut off point is in terms of mitigation is usually down to resource available isnt it?
Just because this incorrect approach meets the criteria as a "way" should by no means be grounds for inclusion. Drawing funny cartoons on the back of a napkin is a way, but both have the same net benefit. Mitigation is the next step, I have only spoken about the assessment. But as you have demonstrated, far too many processes jump prematurely to the mitigation and resources which will result in under and over expenditure without any real risk mitigation.
your argument is confusing.... Just take out the numbers. Ask the question whats the likelihood of risk occuring (1-5) and whats the impact (1-5). Provide a 1-5 scale that provides a guidance for them to understand the impacts and probability. You dont even need to show them the matrix. Once all have been scored (based on a group consensus) you can show them the result... The matrix then shows you an often accurate picture of the organisations/departments risk.... and then you have prioritised the risks in order of which ones you need to analyse in further detail based on things such as Risk velocity, manageability etc. Alternatively you can set up the red, amber and green zones up front based on the organizations risk appetite. Therefore the numbers become meaningless. RED = MUST ANALYZE NOW AND MANAGE - Amber = Analyse and manage where possible - Green = monitor. Risk Management NEEDS to be simple or it doesnt work. the risk matrix is an amazing qualitative tool for prioritizing your risks. You can even add an opportunity matrix to it so that you get the group thinking about opportunity too.
"Just take out the numbers" is the whole point as to why most risk assessments are wrong. Numbers are essential, measurement is essential. How do you then "score" without numbers. Even sporting events have scores, that use numbers, not word pictures on effort and commitment.
Well tony I have been working in Health Safety and Environmental for 25 Years and you have basically not offered a solution to the problem. Try and explain to people a matrix is hard enough let alone looking for solutions. You have presented a crap argument which doesnt weigh up . Did you ever do your real job instead of working with squares and circles and numbers. The main fault with these tables is that people dont look at the most probable outcome not what could happen as an outcome .
If everything that's out there is wrong, then what is 'right' in your view. Is there a methodology at all. what pros and cons does the spiderman model have ?
The use of more specific verticals/data points and standard deviation work the best for a more precise and repeatable process.
So you're saying that prioritizing the high risk, high probability situations is a hit to assets and funds?
So instead prioritize what? High risk, low probability? Low risk, high probability? Yeah right, that makes sense.
Why does it matter that the high risk squares are only 36% off the area? If something has a high probability of a high impact, then that’s a risk which needs to be addressed. The actual problem, as far as I can see it, is that the scales are vague - one person’s “high probability” is interpreted by another person as “medium”.
Another issue is that companies I’ve worked with have tended to treat the scales as linear or multiples of two. This is just completely inconsistent with other methods for calculating and assessing risk (eg LoPA studies for SIL assessment or lightning risk calcs to IEC 62305) which all work with exponential scales and factors of ten.
However, it is possible to set descriptions for likelihood and impact (like you recommended in one of your other videos) which make people think in terms of order of magnitude, so they can then do a rough assessment with a risk matrix which will be consistent with later, more detailed, quantified assessments. I’ve developed such risk matrices with a few clients in the sectors I work in.
So am I right in saying that not only should you prioritise but you should also understand the variables relative to one another?
For example, 2 risks, both of equal impact, 1 is twice as likley to occur but costs 3 times as much to mitigate, therefore the other takes priority.
What would be the point of having numbers at all? Just use qualitaive based risk assessment.
Number will always be easier, faster to consume and depict a more accurate measurement than words. too much variation in speech, culture, comprehension and context when it comes to word pictures
Well, nice presentation!
Yes agree, assigning value of each matrix could be wrong.
But the purpose of risk matrix is simply just mapping your whole risk of your total assets, not for making decision.
I like there you said MOST, because not all risk assessment doing it, especially quantitative risk assessment.
Decision making should be based on quantitative risk value, not by simple risk matrix.
Again, risk matrix just the way to present distribution of your risk value.
I have only been in security for 7 years, but can call bullsh*t on your argument. Just because the High Impact squares are more in number does not mean that you will end up putting more risk rating in those categories. You assess the impact and likelihood of each vulnerability being exploited and you come up with a rating, that is it. This way, they are all relative to each other. Ideally you will want to do this with multiple people and representatives from the groups that manage the associated assets. If you want more granularity, just increase the scale to a 7X7 or 10X10.
Not sure of what your "point" is there Shane. Can you mathematically or socially prove your point? "That is it" is typical of $10/hr employees, and point in case of the danger of what has become common practice.
"A camel is a horse designed by a committee"
I understand what you've done, but not why you've done it.
OK, it's disproportionate. But it still provides a way to prioritise risk, where the cut off point is in terms of mitigation is usually down to resource available isnt it?
Just because this incorrect approach meets the criteria as a "way" should by no means be grounds for inclusion. Drawing funny cartoons on the back of a napkin is a way, but both have the same net benefit.
Mitigation is the next step, I have only spoken about the assessment. But as you have demonstrated, far too many processes jump prematurely to the mitigation and resources which will result in under and over expenditure without any real risk mitigation.
your argument is confusing.... Just take out the numbers. Ask the question whats the likelihood of risk occuring (1-5) and whats the impact (1-5). Provide a 1-5 scale that provides a guidance for them to understand the impacts and probability. You dont even need to show them the matrix. Once all have been scored (based on a group consensus) you can show them the result... The matrix then shows you an often accurate picture of the organisations/departments risk.... and then you have prioritised the risks in order of which ones you need to analyse in further detail based on things such as Risk velocity, manageability etc.
Alternatively you can set up the red, amber and green zones up front based on the organizations risk appetite. Therefore the numbers become meaningless. RED = MUST ANALYZE NOW AND MANAGE - Amber = Analyse and manage where possible - Green = monitor.
Risk Management NEEDS to be simple or it doesnt work. the risk matrix is an amazing qualitative tool for prioritizing your risks. You can even add an opportunity matrix to it so that you get the group thinking about opportunity too.
"Just take out the numbers" is the whole point as to why most risk assessments are wrong. Numbers are essential, measurement is essential. How do you then "score" without numbers. Even sporting events have scores, that use numbers, not word pictures on effort and commitment.
+Intelligent Travel numbers are absolutely NOT essential
Well tony I have been working in Health Safety and Environmental for 25 Years and you have basically not offered a solution to the problem. Try and explain to people a matrix is hard enough let alone looking for solutions. You have presented a crap argument which doesnt weigh up . Did you ever do your real job instead of working with squares and circles and numbers. The main fault with these tables is that people dont look at the most probable outcome not what could happen as an outcome .
Huh?
Rubbish. so the type of Risk Matrix you are using.