[SystemSafety] Confusion over Risk, Yet Again

Peter Bernard Ladkin ladkin at causalis.com
Tue Aug 8 19:09:12 CEST 2017 

In the IEC standards on functional safety, "risk" is defined as probability "combined with" (usually
means "times" but we do like to be flexible) severity. It used to be that there was another
conception of "risk", derived from software project management, in which "risk" was a probability,
namely that your project would not succeed. So there was some tension between those who evaluated
risk as the expected value of loss, in the millions of <your favorite currency>, and those who
evaluated it between 0 and 1 with no units.

The IEC Advisory Committee on Safety (ACOS) got into the act, prompted by a meme which I like to
think I helped along. "Risk" to the IEC means probability combined with safety (903-01-07 and
351-57-03 in www.electropedia.org, aka a delayed version of IEC 60050).

Well, except it doesn't. The first committee draft of IEC TS 63039 on "harmonisation" of
functional safety and cybersecurity for IACS, which was circulated a couple of days ago, doesn't
define "risk", but points out the following contrasting definitions in IEC 61508 (the E/E/PE
functional safety standard) and IEC 62443 (the cybersecurity standard for IACS):

[begin quote]
Risk

[IEC 61508] combination of the probability of occurrence of harm and the severity of that harm
[IEC 62443] expectation of loss expressed as the probability that a particular threat will exploit a
             particular vulnerability with a particular consequence

[Synopsis of differences] The difference in the definition results from the different views of
       security vs. safety in respect to the consequence. Where the consequence in safety is always
       related to harm, the consequence related to security incidents might not be known.
       –Risk (safety):
       • More focused on harm <safety>
       • System environment
       –Risk (security)
       • More focus on business, [f]inancial and operational impacts
       • Depends on a particular threat

[end quote]

They manage completely to miss the issue that IEC 62443 defines risk as a probability (a number
between zero and one with no units) and IEC 61508 as something approximating to the expected value
of loss.

Back to square one. IEC not only has an ACOS, but an ACSEC. They should get into sorting this out
(it's been done once, so one could replay).

BTW, ISO/IEC Guide 51, which gives guidance on what should be in standards in which safety is a
consideration, and ISO/IEC Guide 120 (new), which gives guidance on what should be in standards in
which cybersecurity is a consideration, stick with the "probability combined with severity" definition.

Unfortunately, that does not reflect what people mean when they talk about cybersecurity risk. So
standards which get into safety+security considerations have a fundamental terminological problem
which they may not be able to solve.

EU 2016/1148 defines risk as a reasonably identifiable circumstance or event having a potential
adverse effect on the security of NIS. That coheres with the usual use of the term in the context of
cybersecurity.

In contrast, if you have decided (like the IEC) that risk is probability times severity, and your
new Guide 120 for cybersecurity keeps the same definition, it follows that the phrase "cybersecurity
risk" denotes something completely different from what most people in cybersecurity mean when they
use the phrase.

PBL

Prof. Peter Bernard Ladkin, Bielefeld, Germany
MoreInCommon
Je suis Charlie
Tel+msg +49 (0)521 880 7319  www.rvs-bi.de





-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 163 bytes
Desc: OpenPGP digital signature
URL: <https://lists.techfak.uni-bielefeld.de/mailman/private/systemsafety/attachments/20170808/c54a095c/attachment-0001.sig>

More information about the systemsafety mailing list