[SystemSafety] Confusion over Risk, Yet Again

Steve Tockey Steve.Tockey at construx.com
Tue Aug 8 19:38:27 CEST 2017 

The vocabulary I¹ve seen used seems perfectly adequate:

*) Risk: "The possibility of unwanted consequences of an event or
decision² (from Art Gemmer of Rockwell Collins)

*) Probability: A measure of the likelihood that a risk's unwanted
consequences will be suffered, possibly a number between 0.0 and 1.0

*) Severity: A measure of the (degree of) harm caused by a risk's unwanted
consequence, possibly in terms of money, time, or other valued resource

*) Exposure: A measure that combines probability and severity so that
different risks can be reasonably compared. Clearly, a high probability &
high severity risk gives a higher exposure than a low probability & low
severity risk. But, if Risk A has high probability & low severity while
Risk B has low probability & high severity, which one gives higher
exposure? Exposure should be derived via a defined function, e.g., if
probability is expressed as a fraction between 0.0 and 1.0 & severity is
expressed in terms of money then exposure can be calculated as the
probability value times the severity value. Measurement theory becomes
very important here, however.

With this vocabulary, all of the important concepts are covered cleanly
and appropriately.


Regards,

‹ steve



-----Original Message-----
From: systemsafety <systemsafety-bounces at lists.techfak.uni-bielefeld.de>
on behalf of Peter Bernard Ladkin <ladkin at causalis.com>
Organization: RVS Bielefeld and Causalis
Date: Tuesday, August 8, 2017 at 10:09 AM
To: The System Safety List <systemsafety at techfak.uni-bielefeld.de>
Subject: [SystemSafety] Confusion over Risk, Yet Again

In the IEC standards on functional safety, "risk" is defined as
probability "combined with" (usually
means "times" but we do like to be flexible) severity. It used to be that
there was another
conception of "risk", derived from software project management, in which
"risk" was a probability,
namely that your project would not succeed. So there was some tension
between those who evaluated
risk as the expected value of loss, in the millions of <your favorite
currency>, and those who
evaluated it between 0 and 1 with no units.

The IEC Advisory Committee on Safety (ACOS) got into the act, prompted by
a meme which I like to
think I helped along. "Risk" to the IEC means probability combined with
safety (903-01-07 and
351-57-03 in www.electropedia.org, aka a delayed version of IEC 60050).

Well, except it doesn't. The first committee draft of IEC TS 63039 on
"harmonisation" of
functional safety and cybersecurity for IACS, which was circulated a
couple of days ago, doesn't
define "risk", but points out the following contrasting definitions in IEC
61508 (the E/E/PE
functional safety standard) and IEC 62443 (the cybersecurity standard for
IACS):

[begin quote]
Risk

[IEC 61508] combination of the probability of occurrence of harm and the
severity of that harm
[IEC 62443] expectation of loss expressed as the probability that a
particular threat will exploit a
             particular vulnerability with a particular consequence

[Synopsis of differences] The difference in the definition results from
the different views of
       security vs. safety in respect to the consequence. Where the
consequence in safety is always
       related to harm, the consequence related to security incidents
might not be known.
       ­Risk (safety):
       € More focused on harm <safety>
       € System environment
       ­Risk (security)
       € More focus on business, [f]inancial and operational impacts
       € Depends on a particular threat

[end quote]

They manage completely to miss the issue that IEC 62443 defines risk as a
probability (a number
between zero and one with no units) and IEC 61508 as something
approximating to the expected value
of loss.

Back to square one. IEC not only has an ACOS, but an ACSEC. They should
get into sorting this out
(it's been done once, so one could replay).

BTW, ISO/IEC Guide 51, which gives guidance on what should be in standards
in which safety is a
consideration, and ISO/IEC Guide 120 (new), which gives guidance on what
should be in standards in
which cybersecurity is a consideration, stick with the "probability
combined with severity" definition.

Unfortunately, that does not reflect what people mean when they talk about
cybersecurity risk. So
standards which get into safety+security considerations have a fundamental
terminological problem
which they may not be able to solve.

EU 2016/1148 defines risk as a reasonably identifiable circumstance or
event having a potential
adverse effect on the security of NIS. That coheres with the usual use of
the term in the context of
cybersecurity.

In contrast, if you have decided (like the IEC) that risk is probability
times severity, and your
new Guide 120 for cybersecurity keeps the same definition, it follows that
the phrase "cybersecurity
risk" denotes something completely different from what most people in
cybersecurity mean when they
use the phrase.

PBL

Prof. Peter Bernard Ladkin, Bielefeld, Germany
MoreInCommon
Je suis Charlie
Tel+msg +49 (0)521 880 7319  www.rvs-bi.de

More information about the systemsafety mailing list