How the definition of security risk can be made compatible with safety definitions

In safety settings, understood as situations involving the potential occurrence of unintentional events, it is common to define risk as a combination of consequences and associated probabilities or associated uncertainties. On the other hand, in security settings, understood as situations involving the potential occurrence of intentional malicious events, risk is commonly defined as the triplet asset/value, threat and vulnerability. One motivation often mentioned for the latter is that probability is considered inappropriate for intentional acts. In this article, we argue that it is unsuitable and unnecessary to define risk differently in these two settings. We show that risk, defined as the combination of future consequences and associated uncertainties, can be seen as compatible with the triplet definition of security risk. It also excludes probability from the definition of risk but explicitly includes uncertainty, which is more fundamental and present regardless of the type of events involved. The value dimension is integrated with the consequences as these are with respect to something that humans value. The purpose of the article is to contribute to a consolidation of the safety and security risk management fields at the fundamental level.

[1]  E. Rosa Metatheoretical foundations for post-normal risk , 1998 .

[2]  Terje Aven,et al.  On the use of uncertainty importance measures in reliability and risk analysis , 2010, Reliab. Eng. Syst. Saf..

[3]  Enrico Zio,et al.  A method for ranking components importance in presence of epistemic uncertainties , 2009 .

[4]  Elisabeth Paté-Cornell,et al.  Risk and Uncertainty Analysis in Government Safety Decisions , 2002, Risk analysis : an official publication of the Society for Risk Analysis.

[5]  S. Jore,et al.  Risk management methodology for protecting against malicious acts—are probabilities adequate means for describing terrorism and other security risks? , 2015 .

[6]  Enrico Zio,et al.  Identification of protective actions to reduce the vulnerability of safety-critical systems to malevolent acts: A sensitivity-based decision-making approach , 2016, Reliab. Eng. Syst. Saf..

[7]  Roger M. Cooke,et al.  Probabilistic Risk Analysis: Probabilistic risk analysis , 2001 .

[8]  Todd Masse,et al.  The Department of Homeland Security's Risk Assessment Methodology: Evolution, Issues, and Options for Congress , 2007 .

[9]  Enrico Zio,et al.  Challenges in the vulnerability and risk analysis of critical infrastructures , 2016, Reliab. Eng. Syst. Saf..

[10]  David Wright,et al.  Towards Operational Measures of Computer Security , 1993, J. Comput. Secur..

[11]  Louis Anthony Tony Cox,et al.  Some Limitations of “Risk = Threat × Vulnerability × Consequence” for Risk Analysis of Terrorist Attacks , 2008 .

[12]  Enrico Zio,et al.  Uncertainty in Risk Assessment , 2014 .

[13]  Bilal M Ayyub,et al.  Risk analysis for critical asset protection. , 2007, Risk analysis : an official publication of the Society for Risk Analysis.

[14]  Terje Aven Risk, Surprises and Black Swans: Fundamental Ideas and Concepts in Risk Assessment and Risk Management , 2014 .

[15]  Terje Aven,et al.  On the ontological status of the concept of risk , 2011 .

[16]  Giovanni Manunta What is Security? , 1999 .

[17]  Ludovic Piètre-Cambacédès,et al.  A survey of approaches combining safety and security for industrial control systems , 2015, Reliab. Eng. Syst. Saf..

[18]  Bev Littlewood,et al.  Redundancy and Diversity in Security , 2004, ESORICS.

[19]  Edward G. Carmines,et al.  Reliability and Validity Assessment , 1979 .

[20]  T. Aven,et al.  EXPRESSING AND COMMUNICATING UNCERTAINTY IN RELATION TO QUANTITATIVE RISK ANALYSIS , 2009 .

[21]  T. Aven,et al.  How to define and interpret a probability in a risk and safety setting , 2013 .

[22]  Terje Aven,et al.  The Role of Quantitative Risk Assessments for Characterizing Risk and Uncertainty and Delineating Appropriate Risk Management Options, with Special Emphasis on Terrorism Risk , 2009, Risk analysis : an official publication of the Society for Risk Analysis.

[23]  Dennis V. Lindley,et al.  Understanding Uncertainty: Lindley/Understanding Uncertainty , 2006 .

[24]  Terje Aven Probabilities and background knowledge as a tool to reflect uncertainties in relation to intentional acts , 2013, Reliab. Eng. Syst. Saf..

[25]  Wolter Pieters,et al.  Reconciling Malicious and Accidental Risk in Cyber Security , 2014, J. Internet Serv. Inf. Secur..

[26]  Yacov Y. Haimes,et al.  Risk modeling, assessment, and management , 1998 .

[27]  Enrico Zio,et al.  Vulnerable Systems , 2011 .

[28]  Terje Aven,et al.  The risk concept - historical and recent development trends , 2012, Reliab. Eng. Syst. Saf..

[29]  Emanuele Borgonovo,et al.  Sensitivity analysis: A review of recent advances , 2016, Eur. J. Oper. Res..

[30]  Enrico Zio,et al.  The role of network theory and object-oriented modeling within a framework for the vulnerability analysis of critical infrastructures , 2009, Reliab. Eng. Syst. Saf..

[31]  Elisabeth Pate ´ Cornell Risk and Uncertainty Analysis in Government Safety Decisions , 2002 .

[32]  Douglas J. Landoll,et al.  The Security Risk Assessment Handbook: A Complete Guide for Performing Security Risk Assessments , 2005 .

[33]  G. Manimaran,et al.  Vulnerability Assessment of Cybersecurity for SCADA Systems , 2008, IEEE Transactions on Power Systems.

[34]  Terje Aven,et al.  Moving beyond probabilities - Strength of knowledge characterisations applied to security , 2017, Reliab. Eng. Syst. Saf..

[35]  Richard White Towards a Unified Homeland Security Strategy: An Asset Vulnerability Model , 2014 .

[36]  Terje Aven,et al.  Risk assessment and risk management: Review of recent advances on their foundation , 2016, Eur. J. Oper. Res..

[37]  Terje Aven,et al.  A unified framework for risk and vulnerability analysis covering both safety and security , 2007, IEEE Engineering Management Review.

[38]  S. Kaplan,et al.  On The Quantitative Definition of Risk , 1981 .

[39]  Faisal I. Khan,et al.  Functional quantitative security risk analysis (QSRA) to assist in protecting critical process infrastructure , 2017, Reliab. Eng. Syst. Saf..

[40]  Wolfgang Kröger,et al.  Critical infrastructures at risk: A need for a new conceptual approach and extended analytical tools , 2008, Reliab. Eng. Syst. Saf..

[41]  Ortwin Renn Risk Governance: Coping with Uncertainty in a Complex World , 2008 .

[42]  Ortwin Renn,et al.  Global Risk Governance , 2008 .

[43]  T. Aven,et al.  Concerns, Challenges, and Directions of Development for the Issue of Representing Uncertainty in Risk Assessment , 2014, Risk analysis : an official publication of the Society for Risk Analysis.

[44]  D. Richards,et al.  Understanding uncertainty , 2012, Evidence-Based Dentistry.