APPENDIX II: Quantitative Approach CALCULATING PROBABILITY AND CRITICALITY LOSS EVENT PROFILE Forecasting individual loss events that may occur is the first step in dealing with risk assessment. It requires clear ideas about the kinds of loss events or risks, as well as about the conditions, circumstances, objects, activities, and relationships that can produce them. A security countermeasure can be planned if the loss event has the following characteristics: • The event will produce an actual loss, measurable in some standard medium, such as money; and • The loss is not the result of a speculative risk in that nonoccurrence of the event would not result in a gain. The kinds of events that are loss-only oriented and which involve so called “pure risks” include crime, natural catastrophe, industrial disaster, civil disturbance, war or insurrection, terrorism, accident, conflicts of interest, and maliciously willful or negligent personal conduct. The recognition of even obvious risks implies some estimate of the probability that the risk actually will produce a loss. To the extent that the risk itself is concealed, the task of estimating probability of occurrence is more difficult. LOSS EVENT PROBABILITY OR FREQUENCY Probability can be formulated as the number of ways in which a particular event can result from a large number of experiments which could produce that event, divided by the number of those experiments. Stated as an equation, this is: P= f/n where: P = the probability that a given event will occur f = the number of actual occurrences of that event n = the total number of experiments seeking that event E.g., the probability of shoplifting at a given location during a given year is determined as: p (probability) = the number of days on which actual shoplifting events occurred during the year divided by 365. Although this simple statement illustrates a direct way to calculate probability mathematically, it is not enough for practical application to security loss situations, because while some events will occur more than once, other events will occur only once, and the reaction will so change the environment that the theoretically probable further occurrences will be prevented. As a basic concept, the more ways a particular event can occur in given circumstances, the greater the probability that it will occur. For effective assessment of probability, as many as possible of those circumstances that could produce the loss must be known and recognized. Probability Factors Conditions and sets of conditions that will worsen or increase asset exposure to risk of loss can be divided into the following major categories: 1. Physical environment (construction, location, composition, configuration) 2. Social environment (demographics, population dynamics) 3. Political environment (type and stability of government, local law enforcement resources 4. Historical experience (type and frequency of prior loss events) 5. Procedures and processes (how the asset is used, stored, secured) 6. Criminal state-of-art (type and effectiveness of tools of aggression) Application of Probability Factors Analyses The practical value of loss risk analysis depends upon the skill and thoroughness with which the basic risks to an enterprise are identified. This is the first and most important step in the entire process. Every aspect of the enterprise or facility under review must be examined to isolate those conditions, activities, and relationships that can produce a loss. For an effective analysis, the observer must take into account the dynamic nature of the enterprise on each shift and between daylight and darkness. The daily routine must be understood, because the loss-producing causes can vary from hour to hour. Checklists Every enterprise differs from every other, and general recommendations must be modified to meet local needs. Consult the references in this guideline for forms and checklists to use in the initial gathering of loss event data. RISK MATRIX After analysis has identified the specific threats or risks, the details that make occurrence of each event more or less probable can be recorded. The method suggested is a grid or matrix arranged either by asset or by type of risk, setting forth all the factual elements relevant to probability. Matrices describe a particular situation with respect to each of the risks identified in the general fact gathering. Please see Figure 1, infra. The frequent absence or scarcity of historical occurrence data often makes it impossible to calculate probability on a purely quantitative basis and requires some degree of qualitative assessment. Asset Identification and Description CONDITIONS AFFECTING RISK Location Value ($) Admittance Controlled (Y/N) Records Kept (Y/N) Other Warehouse Etc. Front Office Etc. Laboratory Etc. Shipping Etc. Manufacturing Etc. Etc. Etc. Figure 1. Specimen Matrix. Locations and Conditions Affecting Risk can be added and/or modified to fit the particular asset and its environment. (Y/N) = Yes or No for each condition specified. Conditions should be framed such that a Yes indicates better and a No indicates poorer protection. Probability Ratings After all the available data concerning each risk and its factual circumstances have been gathered, a probability rating can be assigned to that risk. Ratings will not consider any precaution or countermeasure that may later be taken to reduce or eliminate the risk. A primary purpose of such unconditioned ratings is to allow for later priority scheduling in the selection of countermeasures. It may be enough to be able to say one event is more probable than another. To say this about entire series or categories of events, it must be possible to assign each to some class that can then be compared with other classes to arrive at a conclusion of “more likely” or “less likely.” Five categories of probability can establish useful distinctions among events, as follows: (A) Virtually Certain — Given no changes, the event will occur. For example, given no changes, a closed intake valve on a sprinkler riser will prevent water flow in event of fire. (B) Highly Probable — The likelihood of occurrence is much greater than that of nonoccurrence. For example, unprotected currency lying visible on a counter is very likely to be taken. (C) Moderately Probable — The event is more likely to occur than not to occur. (D) Less Probable — The event is less likely to occur than not to occur. This does not imply impossibility, merely improbability. (E) Probability Unknown — Insufficient data are available for an evaluation. This approximate system of ratings contains wide latitude for variation. Two observers could assign different probabilities to the same risk, based upon different evaluations of the circumstances. But an advantage of this technique is that absolute precision is not important. If the correct general label can be attached, it doesn’t matter that a highly probable risk might have a ratio of .751 or .853. What is important is to be able to segregate all risks of virtually certain probability from all others, and to make similar distinctions for each other general class. Even competent professionals may disagree on what is highly probable and what is moderately probable. To compensate for inexactness, if a rating is in doubt after all available information has been gathered and evaluated, then the higher of two possible ratings should be assigned. Rating Symbols. To save time and space, five levels of probability can be assigned the symbols A, B, C, D, and E, ranking downward from “Virtually Certain” to “Probability Unknown.” These symbols later will be combined with symbols representing criticality in the development of priority lists. It should be noted that the probability rating E, or “Probability Unknown,” is merely a temporary rating pending the development of all relevant data. In the construction of threat logic patterns, E ratings will be replaced by one of the definite ratings. The second step in risk analysis is complete when a particular risk, identified in the first level of the survey through the use of forms and checklists, has been assigned a probability rating. No standard recording system is in universal use and each protection organization making a survey must set up its own recording system to be sure that each risk, once identified, can be found readily again in the growing volume of survey data. A simple method for doing this is to assign a distinctive number to each risk classified. It will be necessary to locate and identify each risk to add a later criticality rating, to rank the rated risk in a table or priority list, and to plot it in a threat logic tree based on relative priorities. LOSS EVENT CRITICALITY Highly probable risks may not require countermeasures attention if the net damage they would produce is small. But even moderately probable risks require attention if the size of the loss they could produce is great. The correlative of probability of occurrence is severity or criticality of occurrence. Assessing criticality is the third step in risk assessment. Criticality is first considered on a single event or occurrence basis. For events with established frequency or high recurrence probability, criticality also must be considered cumulatively. The criticality or loss impact can be measured in a variety of ways. One is effect on employee morale; another is effect on community relations. But the most useful measure overall is financial cost. Because the money measure is common to all ventures, even government and not-for-profit enterprises, the seriousness of security vulnerability can be grasped most easily if stated in monetary terms. Note that some losses, e.g.. loss of human life, loss of national infrastructure elements, or losses of community goodwill, do not lend themselves to ready analysis in financial terms. When events that could produce these types of losses have been identified, some factors other than merely quantitative will be used to measure their seriousness. When tradeoff decisions are being made as part of the risk management process, a very useful way to evaluate security countermeasures is to compare cost of estimated losses with cost of protection. Money is the necessary medium. Kinds of Costs to Be Considered Costs of security losses are both direct and indirect. They are measured in terms of lost assets and lost income. Frequently, a single loss will result in both kinds. . 1. Permanent Replacement The most obvious cost is that involved in the permanent replacement of a lost asset. Permanent replacement of a lost asset includes all of the cost to return it to its former location. Components of that cost are: 1. Purchase price or manufacturing cost; 2. Freight and shipping charges; and 3. Make-ready or preparation cost to install it or make it functional. A lost asset may cost more or less to replace now than when it was first acquired. 2. Temporary Substitute It may be necessary to procure substitutes while awaiting permanent replacements. This may be necessary to minimize lost opportunities and to avoid penalties and forfeitures. The cost of the temporary substitute is properly allocable to the security event that caused the loss of the asset. Components of temporary substitute cost might be: 1. Lease or rental; and/or 2. Premium labor, such as overtime or extra shift work to compensate for the missing production. 3. Related or Consequent Cost If other personnel or equipment are idle or underutilized because of the absence of an asset lost through a security incident, the cost of the downtime also is attributable to the loss event. 4. Lost Income Cost In most private enterprises, cash reserves are held to the minimum necessary for short-term operations. Remaining capital or surplus is invested in varying kinds of income-producing securities. If cash that might otherwise be so invested must be used to procure permanent replacements or temporary substitutes or to pay consequent costs, the income that might have been earned must be considered part of the loss. If income from investment is not relevant to a given case, then alternative uses of the cash might have to be abandoned to meet the emergency needs. In either case, the use of the money for loss replacement will represent an additional cost margin. To measure total loss impact accurately, this also must be included. The following formula can be used: I = P x r x t -------- 365 where: I = income earned P = principal amount (in dollars) available for investment r = annual per cent rate of return t = time (in days) during which P is available for investment Cost Abatement Many losses are covered, at least in part, by insurance or indemnity of some kind. To the extent it is available, that amount should be subtracted from the combined costs of loss enumerated previously. A Cost-of-Loss Formula Taking the worst-case position and analyzing each security loss risk in light of the probable maximum loss for a single occurrence of the risk event, the following equation can be used to state that cost: K= Cp + Ct + Cr + Ci) – I where: K = criticality, total cost of loss Cp = cost of permanent replacement Ct = cost of temporary substitute Cr = total related costs Ci = lost income cost I = available insurance or indemnity Criticality Ratings It is suggested that the following ratings be used to summarize the impact of each loss event, and interpreted as follows: 1. Fatal — The loss would result in total recapitalization or abandonment or long-term discontinuance of the enterprise. 2. Very serious — The loss would require a major change in investment policy and would have a major impact on the balance sheet assets. 3. Moderately serious — The loss would have a noticeable impact on earnings as reflected in the operating statement and would require attention from the senior executive management. 4. Relatively unimportant — The loss would be charged to normal operating expenses for the period in which sustained. 5. Seriousness unknown — Before priorities are established, this provisional rating is to be replaced by a firm rating from one of the first four classes. The nature and size of the enterprise determines the dollar limits for each of these classes. The value of the rating system is in its relevance to the enterprise. The terms used are not intended to have any absolute significance. This completes the third step in vulnerability assessment. ALTERNATIVE APPROACHES TO CRITICALITY Known Frequency Rate There are other ways in which the weighted importance of a probable risk event can be measured. One is when a historical frequency can be identified. For example, natural catastrophes such as floods and earthquakes are expected to occur a stated number of times per year, based upon the number of actual past occurrences. Other events also may have a reliable rate of recurrence. When a frequency rate is known, the single event criticality can be multiplied by the number of events expected during the period considered, normally the calendar or fiscal year. Thus, if K = $10,000 for an event, and it has a frequency rate of once a year, the weighted impact would be $10,000 x 1. If the same event had a frequency rate of once every three years, the weighted impact would be $10,000 x .333 or $3,333. If it had a frequency of three times a year, the weighted impact would be $10,000 x 3 or $30,000. Nominal Numerical Probability Another technique, useful to convert the symbolic rankings to simple numerical statements, is to assign an agreed real numerical probability to each of four categories below. Thus: A) “Virtually Certain”, might be assigned a numerical probability of .85; B) “Highly Probable” might be assigned .65; C) “Moderately Probable” might be assigned .50; and D) “Less Probable” might be assigned .20. Next, the criticality of any single loss event is multiplied by the agreed value of the probability. Thus, a $10,000 criticality for a moderately probable event would be $10,000 x .50 = $5,000. (Note that this is used hypothetically to arrive at an overall picture of exposure. If the loss occurs at all, it will cost $10,000, not $5,000.) But to permit ranking before loss so as to expedite countermeasures, the technique would preserve the weighted differences. Scatter Plots Another method to present overall risk is to use a scatter plot. This is a method of plotting each risk on a graph whose axes are cost and frequency. First, the criticality or cost impact is located on the vertical axis. Then, moving right in a straight line, a dot or mark is placed above the frequency rate for that event on the horizontal axis. When all the risks have been plotted on the graph, a smooth curve (a line passing through the areas of highest concentration of dots) can be drawn. This would indicate the approximate distribution of expected losses for the planning period. The countermeasures program would be designed to lower that line as much as feasible. See Figure 2, infra. CRITICALITY: ( K in $ ) $100 Mil $10 Mil $1 Mil $100,000 $10,000 $1,000 $100 1/100yr 1/10yr 1/1yr 10/1yr 100/1yr 1000/1yr 10K/1 100K/1 Frequency (F) in Times per Year Figure 2. Specimen scatter plot; to show events weighted for Criticality (K) (Vertical Axis) and Frequency (times per year)(horizontal axis). Each event or risk is plotted at the intersection of K and F for that event. Establishing Priorities The next step is to arrange the entire body of rated risks into a sequence of priority for countermeasures attention. The more serious risks are listed first, followed in descending order of importance by the others until all the risks have been listed. The listing should identify each risk and indicate the combined probabilitycriticality rating that has been assigned. Such an approach would produce a list of all the risks in each of the various rating classes, as follows: A1, A2, A3, A4; B1, B2, B3, B4; C1, C2, C3, C4; D1, D2, D3, D4. When the risks have all been ranked, the formal task of risk assessment is complete and reflects the risk exposure of the enterprise as of the date on which the assessment was made. No risk assessment is permanent and, depending upon the extent and speed of changes within the enterprise, reassessments will be required periodically, at a minimum of at least once a year. Text Box: Criticality