风险评估和排列的应用模型A practical model for risk assessment and prioritisation风险评估和排列的应用模型IntroductionThis article explains a practical and straightforward method of assessing and prioritising risks, based on a simple quasi-mathematical risk model.介绍这篇文章解释了在简单的准数学风险模型的基础上进行风险评估和排列的实用简单的方法。
What is ‘risk’?Risk is simply the chance coincidence of three factors:Threats – events or activities, generally external to the system which may, at some point, affect the inherent weak points, causing impacts;Vulnerabilities – weaknesses within the system under consideration which may, at some point, be exploited by the threats;Impacts – the short- and long-term organisational [adverse] consequences should threats happen to exploit vulnerabilities.什么是‘风险’?风险仅仅是三种因素的偶然巧合:威胁——事件或者活动,通常作用于系统外部,在某一方面可能影响固有的弱点,而产生影响;脆弱性——系统所考虑的弱点在某一方面可能暴露在威胁之下;影响——威胁短期和长期组织的[不利的]结果碰巧利用了弱点。
The probability that a damaging impact will occur is not easy to determine as it requires the coincidence of one or more threats and vulnerabilities, which are themselves generally unpredictable. A system may possess a vulnerability for a long time without impact until some threatening event actually occurs and ‘exploits’ it. Some threats are more likely to occur than others in a given timeframe (e.g. simple keyboard errors are generally far more frequent than break-ins). Similarly, some vulnerabilities may only appear for short periods of time (e.g. while the security guard walks from the armoured van to the bank vault) whereas others may persist indefinitely (e.g. the bank vault alarm system may not cover all entry points). Impacts also vary in extent - some may be so severe as to jeopardise the entire system or organisation (e.g. a major fire), others may be totally insignificant (e.g. inconvenience to workers).发生破坏影响的可能性之所以不容易确定,是因为它需要一个或更多的威胁和弱点的同时发生,通常它们自己都是不可预测的。
系统可以在很长一段时间内存在着弱点而不受影响,直到某一威胁事件真的发生,并且暴露出来。
在特定的时间里,一些威胁比另一些更容易发生(例如简单的键盘错误通常远比非法进入更频繁)。
同样地,一些弱点可能仅仅在短期内出现(例如安全警卫从运钞车走到银行保险库的时候),但是,其他人可以并不知道(例如银行保险库的警报系统可以无法覆盖全部入口处)。
影响也有一定程度的变化,一些影响可能严重到危及整个系统或组织(例如一次较大的火灾),而其他的影响可能无关紧要(例如给工人造成的不便)。
Insurance companies may have the skills to calculate the probabilities of certain threats and vulnerabilities, and to predict the scale of likely impacts, but even they would acknowledgethat this is an imprecise process - perhaps more art than science. Insurers essentially cover their risks by spread betting: although any given event is unpredictable, the probability of a certain number of events in a certain period may be estimated with greater confidence, mostly on the basis of prior experience. However, there are two particular problems with this approach. Some extremely high-impact events (e.g.your CEO being hit by lightening) are so infrequent that human nature tends to discount or ignore such events, therefore the insurers find it difficult to sell the corresponding policies at realistic prices. Furthermore, new situations introduce new risks but the lack of experience makes them even more difficult to predict. High technology topics such as eCommerce are changing so fast that even IT experts are struggling to keep up. Insurers can do little more than guess at the risks.保险公司可能有技术能够计算某种威胁和弱点的可能性,以及预测可能影响的范围,但即使这样他们也承认这是不精确的过程——或许艺术的部分比科学更多。
保险公司基本上通过分布打赌控制他们的风险:虽然任何给定的事件是不可预测的,但是在某一时期内,事件发生数量的可能性可以以更大的置信水平被评估,通常是在先前经验的基础上。
不过,这种方法有两个特别的问题。
由于一些具有非常高影响的事件(例如你的执行总裁被雷电击中)很少发生,以至于人性往往把这样的事件打折扣或者忽视,因此保险公司发现按实际的价格销售相应的政策很困难。
此外,新情况出现就要引入新风险,但是,经验的不足使他们更难以预测。
高技术领域象电子商务的变化是如此迅速,以至于连IT专家都要努力才不会落伍。
保险公司对于这些风险除了推测并不能做的更多。
Particular combinations of threats and vulnerabilities may occur purely by chance ("bad luck") but it is intuitively obvious that a system with few vulnerabilities and/or threats is less likely to suffer impacts in the long run, and that a system with many/large potential impacts (in other words, a fragile system) is eventually likely to suffer more damage than one without. This is the basis of risk management, itself a crucial element in the sound management of any organisation. Managers generally seek to reduce vulnerabilities, threats and/or impacts by directing organisational resources towards risk mitigation activities such as installing appropriate control frameworks.威胁和弱点的特别结合可能是偶然发生的(“倒霉”),但显而易见的是,一个极少弱点和威胁的系统不那么容易遭受攻击,而于之相比,一个有很多/大的潜在影响的系统(换句话说一个脆弱的系统)最后可能遭受更多的损害。
这是风险管理的基础,它本身在任何组织的健全管理中都是关键的要素。
管理人员一般寻求把组织的资源分配到类似组建适当的控制构架之类的风险缓解活动上来减少弱点,威胁和或影响。
Derivation of a simple risk modelBusiness is far from risk-free and there is profit to be made by taking acceptable risks, but some risks lead to ruin. The key to sound management is to know which risks to mitigate and when to ‘take a chance’. This is why it is so important to develop a good understanding of risk. In this section, we develop a straightforward quasi-mathematical model to quantify risks.Thinking simplistically about the nature of risk, one might derive the following additive formula:Risk = Threats + Vulnerabilities + Impacts简单风险模式的起源企业是充满风险的,通过冒可接受的风险可以取得收益,但一些风险会导致崩溃。