The Unexpected Value of Hybrid RMS Risk Management

The number of Boxing Day Tsunami victims could have been dramatically reduced had there been an emergency warning system in the countries bordering the Indian Ocean; the lack of such a system was due to cost-benefit analyses that set threat-mitigation resource-allocation priorities. Virtually all quantitative threat assessment and risk management programs use arithmetic means and expected values for analysis and resource prioritization and allocation. Although these methods work reasonably well around the centers of distributions, they underestimate the resources necessary to address threats from the tails of the distributions such as rare-but-deadly threats and ubiquitous-but-innocuous events; they also tend to over-allocate resources to relatively low-threat and low-impact risks. A cursory survey of current quantitative threat assessment and mitigation methodologies explains why their results may be inappropriate and how root-mean-square (RMS) methods for aggregating n-dimensional threat and impact components into effective risk levels (ERL) yields results that correspond to expectations for risk management and resource-allocation purposes. Motivations and procedures for deriving continuous threat-factor functions are described and integrated into these hybrid RMS (HRMS) aggregation techniques, which may be used to construct security return-on-investment (SROI) metrics for budget justification. These methods are also extensible to uncertain-programming applications (e.g. fuzzy logic) and reconciling differences of opinions among information security experts. When combined with operations research techniques such as multidimensional scaling, these methods may form the basis for developing the Emergent Standard Information Assurance Assessor