# What is the Ideal way to Measure and Communicate IT Risk?

## A suggestion for a successful metric…

Traditionally when the Information Technology (IT) industry needs to measure and express the level of risk in its environment it does so by tallying up the number of vulnerabilities it has, their severity and magnitude. The problem with this approach is it can be difficult for senior management (read non-IT people) to utilize this information to make effective decisions, compare IT risk against that of other departments, or determine desired risk tolerance or appetite since no other part of the enterprise expresses risk this way. For as long as I have been in Information Technology / Information Assurance (IT/IA), senior managers have dreamt of IT Risk Metrics expressed in dollars and cents.

#### Value at Risk could be the answer.

Value at Risk or VAR is a concept, methodology, and metric for describing risk to a single or group of assets over a specified time period. VAR, is a reasonably new concept, pioneered by J.P. Morgan in the late 1980s, it was created as a means to measure risk to their stock trading portfolios (Linsmeier & Pearson, 2000). It has now become the standard way to express financial risk, its used by both financial and non financial corporations, institutional investors, and government agencies such as the Securities and Exchange Commission (SEC). VAR is a single value that summarizes the risk of loss under normal circumstances to an asset or a collection of assets such as a portfolio or business unit. Due to its ability to describe risk of loss, its magnitude expressed in dollars or percentage as granularly as a single asset over a specified time period with a specified confidence level, or an aggregation of assets. VAR is well suited to communicate risk to board members, senior management, or other extra departmental stakeholders.

#### How can VAR be applied to IT Risk?

The VAR metric has three components: a time period, a confidence level and a loss amount (or loss percentage). This helps us answer questions such as:

- What is the most I can — with a 95% or 99% level of confidence — risk losing to a cyber event(s) expressed as dollar loss of value over the next two quarters?
- Same question as above only this time the loss as expressed as the max percentage of total value I can — with 95% or 99% confidence — expect to lose over the next year?

VAR has three components: a level of confidence (preferably high confidence such as 95% or 99%), a valid time period (day, month, quarter, year, etc.) and an estimate of the risk of loss (conveyed as either a dollar amount or a percentage).

#### How is VAR calculated?

VAR can be calculated one of three ways, the first, the historical method relies on historical data of risk relative to the asset in question. This method is problematic for the IT industry as we don’t like to share IT risk information. The second known as the Variance-Covariance method assumes that risk distribution are normally distributed (think standard bell curve), also not a good choice for IT. The third and most relevant to IT Risk and IA is the use of Monte Carlo Simulation.

For those not familiar with Monte Carlo (MC) you basically program the variables that effect your risk and calibrate them to a range then MC runs thousands of simulations using different variables within the ranges per each simulation. Simpler still as an old friend of mine describes it — imagine rolling a pair of dice 10,000 times, recording what you got on each roll and plotting it on a cumulative probability curve. The variables in that situation would be two dice, each with a possible outcome of 1–6, and 1–12 combined. You would run MC and a nice bell curve would appear with 7 at the peak, as all craps players know 7 has the greatest statistical probability.

#### Benefits of using VAR.

The greatest benefit of using VAR to communicate IT Risk is the message is more clearly received by the audience. This will facilitate increased rapport, decision-making, and an enhance level of professionalism for IT and its personnel. Don’t take my word for it, try it and see what your audience prefers.