Solution Risk, Vulnerability, Threat and Mitigation - Does Risk Need to be Separate from Event?
by Nic Plum on Thursday 07 January, 2016 - 19:37 GMT
Posted in Architecture Framework • TRAK
Tags: definition • hazard • metamodel • ontology • risk • standard • threat • trak • viewpoint • vulnerability
Changes have been made to TRAK to support the description of risk and event sequences in the guise of the SVp-11 Solution Event Causes and SVp-13 Solution Risk Viewpoints. This has been a piece of work underway for at least 3 years but it seemed necessary to publish it so that the viewpoints and tuples can be exposed to wider testing i.e. used in anger.
As with most of this sort of work there is a limit to the amount of theorising that is possible and it’s necessary to test the pragmatism and utility. It’s likely therefore to undergo some tweaking. If any relationship or metamodel entity is not needed then it should be removed since the overall aim is to work with the minimum metamodel needed to just be adequate. A larger metamodel is not only harder to maintain and keep consistent but because it is only there to support the concerns in the set of TRAK viewpoints (specifications for views cf ISO/IEC/IEEE 42010:2011) it follows that a larger metamodel makes definition of a consistent set of viewpoints harder. With more entities and relationships it is also likely that an architecture description can become more complex and require more effort to present it clearly to get the meaning across (at least to a Mk 1 Human Being since being based on triples a TRAK architecture description is machine-readable and analysable). Every tuple in the TRAK metamodel has therefore to earn its keep / justify not being removed.
Solution Risk
In a previous posting I identified why we think, in TRAK at least, that a risk is a type of event and why many of the current definitions of risk do not actually define what a risk is (only how you might calculate a number or metric i.e. probability of occurrence x impact severity).
We’ve tied risk to the solution because we think that this is where it most often manifests itself in terms of design features or changes to the design of the system of interest to mitigate it. In engineering terms it is really the cumulative risk exposure to people that drives design change hence it makes sense to be able to relate risk, vulnerability, threats and mitigation to a solution design whether the causing agent or the impacted one.
TRAK therefore supports the following triples / tuples for describing risk:-
https://creativecommons.org/licenses/by-sa/4.0)], via Wikimedia Commons” href=“https://commons.wikimedia.org/wiki/File%3ATRAK_metamodel_part_2_safety_security.jpg”>
- Resource (System, Software, Physical, Role, Job or Organisation) has Vulnerability
- Function has Vulnerability - what the Resource does
- Resource Interaction has Vulnerability - the exchange between Resources
- Interaction Element has Vulnerability - what is exchanged between Resources
- Resource poses Threat (synonym Hazard)
- Threat exploits Vulnerability
- Threat to Resource
- Threat to Function
- Threat to Resource Interaction
- Threat to Interaction Element
- Threat poses Risk
- Resource exposed to Risk
- Risk is managed by Mitigation
- Mitigation uses Function
- Mitigation uses Resource
By way of a small example using a small subset of the above we have a nuclear reactor.
It is possible to identify an external actor as the origin of the threat (hazard) - ‘Resource 1 poses Threat to Resource 2’. Similarly mitigation might be a result of a part of the same resource or it might require a different one (‘Resource 1 is exposed to Risk is managed by Mitigation uses Resource 2’).
In all of this the description of Risk, Vulnerability, Threat (Hazard) and Mitigation can be linked to the description of the solution or part of the solution. This therefore enables the solution design to be modified in response or the mitigation to be altered in response to a design change so the cause and effect is always visible in the architecture description.
So far all of this is pretty straightforwards. The “toughie” is:-
- Risk is a Event
This is tricky not because there is any doubt that a Risk is a type of Event. A risk typically is associated with a probability of occurrence and an impact severity. If we are thinking about an event in the way it would be used in, say, Fault Tree Analysis (FTA) then it also has a probability of occurrence. It too can have an impact severity. So are there differentiating attributes of a risk (event)? We couldn’t think of any - suggestions welcome. The rationale for having a separate Risk metamodel element was simply that people might expect to see elements labelled as ‘Risk’ because they might not equate ‘Event’ with the description of a risk (affordance and visibility).
Note. Although there isn’t a difference in the attributes there is a distinction in the possible values A Risk and an Event can take. A Risk, by definition is always uncertain but possible therefore 0 < probability of occurrenceRisk < 100% whereas a ‘straight‘ Event may be impossible or certain and therefore 0 ≤ probability of occurrenceEvent ≤ 100%. Risk therefore seems to occupy a subset of the range of values for Event.
Is this worth having 2 distinct elements, particularly since the inheritance (‘is a’) means that we also have:-- Risk caused by Risk
- Risk impacts on Resource
- Risk caused by Resource
- Risk AND / OR / etc. Risk
and this is less clear when Risk and Event are separate entities on the metamodel diagram.
If there was the one element, Event, then it would still allow risks (Events) to be clustered or grouped which would allow the SVp-11 to be used to describe and identify common causal risk (events) and therefore suggest ways in which risks might be managed. The only penalty seems therefore to be 1) visibility - can risks be identified as such when typed as Event? 2) affordance - is it obvious that an Event element can be used to describe a risk?
Can anyone justify why Risk and Event should be distinct or why they should be subsumed into Event? Clearly from a TRAK-management point of view it would be better to apply the Highlander Principle (“there shall only be one”) but this might overridden by the UI / HCI aspects.
Thoughts?
External Links
- TRAK00001. TRAK. Enterprise Architecture Framework. Viewpoints. 1st January 2016
- TRAK00002. TRAK. Enterprise Architecture Framework. Metamodel. 1st January 2016
- TRAK Metamodel fragment - Safety & Security 1st January 2016 - Wikimedia Commons - https://commons.wikimedia.org/wiki/File%3ATRAK_metamodel_part_2_safety_security.jpg
Comments
Logged-in site members can receive notifications of comments made on this article.
Related Articles
Linked directly:
- Risk and Threats - The Common Ground Between Security and Safety?
- Definitions - What Exactly is a Risk?
Sharing tags:
« Previous What Would a TRAK View Look Like in a Graph Database? Part 1 Nato AF (NAF) Version 4 - A Look at the Definition of View Content Next »