Arkferos Security Solutions

Learn More

The Arkferos Risk Framework

Free for all

This google sheet contains the main model our custom risk framework, developed over years of risk management. The google sheet has a risk calculator, and contains all the model’s core variables and math. Feel free to download and use it in your organisation. This sheet is covered by the MIT License, so we ask only that you spread the word about it, and give us credit for creating the foundations of the model.

How to use this model?

The easiest way to use this model is to make a local copy of the sheet and get started by calculating risks right away. The minimum you must select is a value for Impact, Control and Probability from the dropdowns provided.

To sense check that you’ve selected the right Impact and Control level, you can optionally select the Primary Category of a risk and the Control Type from the dropdowns. Both of these will display a text to the right which aligns with the levels you selected, and in this way you can ensure that you’re measuring your risk properly

Single Loss Expectancy and Annual Loss Expectancy are based off the Impact severity and are automatically calculated. Note that these calculations are based off a framework built for medium to large size businesses. You can optionally enter a dollar value in the SLE OVERRIDE Box which will adjust the calcluation. This value should be based on the loss you estimate should the risk materialise once.

Why should you use this model?

Risk Management and modelling usually falls into 2 camps. The simple 5 x 5 model, or the complex risk models that only the largest enterprises, insurers and banks will use (because they can afford to have the staff and tools to run the complex analysis).

We firmly believe both models are inneffective for most use cases because of two philosophical beliefs about risk

  1. Risk Management is an important tool for an organisation to make decisions, especially when it comes to prioritising the use of limited resources.
  2. A risk model needs to be able to measure and represent risks as realistically as possible for the most amount of use cases across all problems spaces in a organisation.
  3. Risk Management isn’t a security function – it’s an organisational function

The above necessitates a model which allows you to use quantifiable, measurable data to model a risk. It also necessitates that the model you use allows you to effectively differentiate between different types of risks.

What doesn’t work in other models?

In our opinion, the classic 5 x 5 model is all but useless as it doesn’t really tell you anything about a risk. While risk scoring is somewhat arbitrary, a classic 5 x 5 has next to no quantifiable qualities within it. Furthermore, the classic 5 x 5 usually features a simple calculation where Impacts and Likelihood is both measured in integers 1 through 5. This leads to a situation where the model makes high impact / low likelihood risks measure the same as low impact / high likelihood. We believe that this results in a representation of risk which doesn’t really allow you to differentiate meaningfully between different types risks.

The same cannot be said of the F.A.I.R. risk methodology. This approach breaks down a risk into it’s elementary components, and as such offers a lot of detail. The risk score numbers for F.A.I.R are abitrary, but how one arrives to them are not. It is a complex web of context. This lovely complexity does come with a drawback – most organisations do not have the data, the tooling or the competency to analyse risk in this way. This level of detail and analysis and is it’s downfall, making it often unapproachable by most organisations.

Why is Arkferos Risk Model this different?

Our model, which is inspired by the F.A.I.R methodology, tries to land somewhere in the middle, to keep things accessible AND relevant. At it’s core it there are only 3 numbers to interact with: Impact, Probability of Occurence and Level of Control. These latter two form the classic “Likelihood” of the 5 x 5, but with better detail borrowed from F.A.I.R.

Probability of Occurence is a time based metric that can be data driven (how often has this risk occured), or estimated (when will we think this risk will occur), giving you flexibility in how you approach it, without sacrificing your analysis. It acts as a stand in for F.A.I.R’s Contact Frequency and Probability of Action.

While more qualitative, Level of Control offers an abstraction of F.A.I.R’s Threat Capability and Resistance Strength, by uniting controls into a description of their existance and their effectiveness. This makes it easier to apply to a wide variety of scenarios where the types of mitigating controls differ.

These 3 numbers are then multiplied to give you your risk score.

But wait, there’s more..

Our risk model has some extra punch built in to the Impact value. It comes ready with several categories of risk which are level matched to each other, and to a specific financial loss. The inclusion of several categories like Employee Safety, Privacy, Client Retention and Reputation mean that you have a way to compare risks across all areas of your organisation within the same model.

The level matching with financial loss takes this a step further, allowing your to create a financial model of your risk in terms of Single Loss Expectancy, and Annual Loss Expectancy. Of course, these numbers are customisable, and the calculator will allow you to override the built-in numbers. What this means for you and your organisation is that you can start attributing hard numbers to risks, which means you can make better decisions about which risks to mitigate first, and which to ignore.

Lastly, but not least, our scoring values weigh Impact more than “likelihood,” which means that a high impact / low likelihood risk will stand out (have a much higher score) when compared to a low impact / high likelihood risk.

For better or for worst, this key of this model is that it allows you to measure and compare risks across the whole organisation, and not just security. Now you can decide if it’s better to close that vulnerability, or deliver a much needed feature to all client.

How does it work?

The Arkferos Model is based on the F.A.I.R. risk methodology, however it is massively simplified. It does this by abstracting some of the complexity with a smaller, more managaeable set of points to measure, and by coupling a description of a measurement with multiple values which help to model that description of that measurement

By measurement points, we mean that the measurement of the probability of occurrence of a risk, combined with the level of controls preventing the risk from occurring to create likelihood; and measurement of the severity of an impact based on the appropriate categories.

This is represented in a mathematical model where the calculated ‘Risk Score’ of a particular event (or series of events) is equal to the multiplication of Probability  x Level of Control (forming the likelihood of an event where Probability is a modifier) x Impact

Probability of Occurence is a time based value expressed as “within x time.” This can be a data driven measurement (how often has this risk occured), or estimated measurement (when will we think this risk will occur). It is coupled with Probability Time which represents the frequency the event will happen over the year, and is the numerical description of the time based value. It is also coupled with a Probability Score which is used for the risk score calculation. By default, the score will drop off as the time frame increases starting at 1 for the most imminent event, and going down to 0.5 for events happening within a year or more. The assumption in this is that the less imminent a problem is, the less important it becomes, driving down the overall risk.

Level of Control is a qualitative description of the amount & effectiveness of controls. It is primarily used to model what kind of compensating controls (or mitigations) are in place to prevent the risk from realising. This is expressed as whether a control exists (it does, or it doesn’t) and how effective it is (from ineffective to highly effective). It is coupled with a Control Score (used for the risk scoring calculation), ranging from 1 to 5 with 5 being the worst (a complete lack of controls). It is also coupled with Annual Loss Expectancy Weight, which is used for estimating Annual Loss Expectancy (This will be explained later), and ranges from 1 to 0.5 with 1 being the worst. While the model ships coupled with some Control categories, the Control Level definitions are the most useful across most use cases.

Impact is both a qualitative and quantitative measurement of the gross impact of a risk should it materialise. It is expressed as a severity descriptor in Impact Level, and coupled with an Impact Score which is used in the risk scoring calculation. The scoring methodolgy weighs impacts above all else, so exponentially goes from 1 to 16 where 16 is the represents severest impact. It is also couple with Impact Categories, of which Financial is the currency value of the impact, used in the financial modelling of ‘Single Loss Expectancy’ (SLE) and ‘Annual Loss Expectancy’ (more on this later). All the categories are level matched such that severity of an event in one category is matched to the severity of an event in another category. This is intended to be customised for each organisation, as it forms a key component of risk modelling, and risk appetite.

As mentioned before, the approach to Impact measurement, also allows for the modelling of financial loss. This is intended to be the net financial loss should a risk materialise, based on the value of an asset, but can otherwise be estimated by the impact matrix, which matches a level of impact to a financial outcome. The calculator handily allows you to override this, and further customisation is possible.

This financial modelling is expressed as ‘Single Loss Expectancy’ (SLE) and ‘Annual Loss Expectancy’ (ALE). SLE represents the expected financial loss from the risk being materialised once, at any given time. ALE represents the total expected loss over a 12 month period should the risk materialise repeatedly. ALE is equal to SLE x Probability Time x ‘Annual Loss Expectancy Weight’, where the probability definition is used to determine the rate of occurrence and the Annual Loss Expectancy Weight factors in the level of control mitigating the risk.

The Annual Loss Expectancy Weight is a function of the Control Level and assumes that as the effectiveness of controls increase, the impact of a risk will decrease. This was added to better improve the Annual Loss Expectancy of a risk, as it was found that financial consequences of larger strategic risks weren’t being adjusted even though those risks were being mitigated. This made those risks, and the actions being taken to mitigate them feel disconnected from reality, which undermines one of our core philosophies of risk management. That said, the Annual Loss Expectancy Weight is the most arbitrary of values that the model uses, so your mileage may vary with it.

Customising the model

There are two options to customising the model.

  1. Hire Arkferos to do risk workshops and analysis with your organisation, and to deliver a customised risk framework
  2. Edit the values yourself and do your own customisation for your business

In the spirit of making this free and openly available, let’s discuss how to do option 2.

The sheet is purposely unlocked. This means you can edit any of the formulas or values. This gives you ultimate power to adapt it to your organisation, or break it completely!

Appetite Tuning & Testing sheet

The first area to focus on in terms of customisation is the Appetite Tuning & Testing sheet.

Here you can customise your appetite for risk by changing the values of Critical Risk, Strategic Risk, Operational Risk Limit and Moderate Risk. These are thresholds for the calculate risk score, to allow you to distinguish serious risks from less serious risks. As you change them you will see the colour pattern change on the right to reflect where a risk score would fall.

The bottom left box is to show you certain min/max attributes of the risk model. We use this to make sure that a model makes sense overall, so if you change fundamental values like impact scores, control scores, and financial values, you’ll see it shift this area.

Impacts

The impacts sheet is probably the most important and relevant sheet for customisation. On the far left are “core values” such as the Impact Level name, the Impact Score, and the Financial impactof that Impact level.

The columns to the right list the categories of impact (which can be selected in the Primary Category dropdown on the calculator). In each column there is a description that matches the Impact Level.

We believe that the scoring methodology in the Impact Level and Impace Score columns is already optimised for most organisations, , regardless of size, and as a result shouldn’t be changed. HOWEVER, we strongly recommend reviewing the Financial impact and all the Categories and descriptors. This is critical to matching the framework to your organisation.

As an important tip, you want all of the levels to match. The financial value for a Major Impact risk should align very closely to the description the category. As an example, the base model assumes that the loss of 1 client could result in a loss between $1 000 000 and $20 000 000. But if that’s not the case, you may want to change either the description, or the value of that particluar impact.

Controls

Similarly to impacts, the control sheet’s “core values” are to the left. These are the Control Level, Control Score and Annual Loss Expectancy Weight. To the right are a few Control Types.

Also similar to impacts, we believe that Control Level and Control Score are already optimised for most organisations, regardless of size. The wording in the Control Level is probably the most important to keep, as it is the easiest way to evaluate the strength of any control that’s not already well defined or understood, and thus apply the measurement to a wide array of risks.

The Annual Loss Expectancy Weight is a bit more subjective, as it is a value that is multiplied in the Annual Loss Expectancy calculation, reducing the risk the Annual loss given a certain level of controls. The assumption is that as you increase your level of control, the impact of an event will also decrease. We believe this weight created much more realistic financial risk projections, but you may want to not use it, or modify it.

The Control Types are pretty open to review, and are there for reference. In practice, we’ve found that most of the time we’re using the Control Level for qualitative assessment, and as such didn’t find much of a need to add more. But feel free to edit, or add to them if it helps to increase your clarity in risk measurement

Probability

The probability sheet is pretty straightforward, with Probability Level, Probability Weight and Annual Loss Expectancy Time Multplier. While we think this is already fully optimised, I think modifying this section is really up to each organisation’s taste.

The Probability Level defines the length of time within which you expect a risk to materialise. Our philosophy of risks focuses on immediacy and actionability, and the timescales in this section reflect that. We believe that risks that materialise once or less per year are not terribly useful to differentiate. However your organisation may prefer to measure wider timescales.

Note that a change in the Probability Level should also come with a change in the Annual Loss Expectancy Time Multplier, as this is just a numerical value representing the description of time in the Probability Level. The math assumes that if there’s a probability of a risk occuring within 3 months, that same risk will materialise 4 times per year, and therefore the Single Loss Expectancy will be multiplied by 4. If you edit this, ensure it makes sense with the description of the Probability Level.

The Probability Score is of course used in the main Impact x Control x Probability calculation for the risk score. In our development, we found that it was much better to use this as a way to reduce the overall score of a risk, rather than to increase it. The assumption is that the less probable something is, the less important it is as well. Your mileage may vary, but I would not use integers above 1, as it will really warp your model’s minimum and maximum scores.

Want to know more?

Want to know more about our philosophy of risk? See our article Madness: The Art of Not Caring (in our madness series)

MIT License

Copyright 2024 – Troy Cunningham & Arkferos Ltd

Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the “Software”), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:

The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.

THE SOFTWARE IS PROVIDED “AS IS”, WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.