Analysing risks — causation vs. association

👋 Hello everyone ~

How often does the following happen — we are presenting a risk report to customers and end up with huge resistance and argument debating that some risks are impossible to happen, but you know in your bones that they’re very much possible. Is there a better way we can handle such situations?

In this article, we’ll be looking at the Causation vs. Association concept and why it matters in gaining better “trust” with customers that can help in getting them aligned to your risk analysis.

A Causation Risk is defined as the relationship between a risk factor and a vulnerability and how one affects the other; the vulnerability would not have occurred in the absence of the risk factor.

An Association Risk refers to the statistical relationship between two variables (dependent on each other) which tells you the value of one variable when you know the value of the other.

In the field of risk management, analysing risks can easily fall into what we call the Causation vs. Association trap — risk analysis often adopts a statistical approach to determine the relationship between event and performance assessment to determine what events are most probably causing the most impact. However, association doesn’t always imply causation.

Humans often have the tendency to correlate one item with another item, influenced by our own perception and recent experiences. The fact that some things are related but doesn’t imply that it is a cause of another. A good example is drinking and driving. While there is a high association between drinking and bad driving (i.e. drinking leads to bad driving), bad driving is not caused by drinking. In this example, bad driving is only associated with drinking but is not a causation. This concept is important because when presenting your “drinking leads to bad driving” risk statement to a good drinker, they will probably disagree and will likely argue against it.

However if we were to reposition the risk statement to “drinking promotes slow reaction when driving by x% which can result in causing accidents to happen”, the discussion may go in a different way! This way, the argument focus will likely be shifted towards reduction of drinking to prevent the effect of poor judgement in driving. Eventually, the outcome will be more receptive and willing to take mitigation measures to handle the risk situation.

The above are good examples to show how analysing risks using causation and association can have a great effect on your eventual risk statement and positioning, thus preventing unnecessary wrong arguments.

Let’s take a look in another example closer to cyber risk — this risk statement is often seen:

“In the event of a lack of controls, sensitive data may be compromised.”

Applying the Causation vs. Association technique on this, does the lack of controls really cause data to be compromised or is it just an association?

Without a strong causation link, customers will always have a lot to debate about. A lack of controls has a wide area of spectrum, hence it can only be an “association” type of risk statement. Besides, customers will likely not understand what controls we are referring to. If we want a strong risk statement, it’d be better if we analyse deeper and present a causation risk. For example, let’s rewrite the above risk statement as follows:

“In the event security patches are not implemented in a timely manner, your system’s vulnerabilities may get exploited.”

With the above risk statement, it’ll be more difficult for customers to debate the possibility of the risks. It will draw their attention and kickstart discussion on how to better provide security patches in a more timely manner.

It is important to understand and have the Causation vs Association mindset when analysing risks. This creates a much stronger perspective and understanding of each risk and hence, helps customers better relate to the risk posture.

We hope this article is useful and gives you a different perspective on how risks can be analysed, and reduces the amount of disagreements/debates with your customers while presenting the risks to them! ​​🍻

🧙🏼‍♀Team Merlin 💛
Application security is not any individual’s problem but a shared responsibility.