Understanding the Good and Bad Aspects of Risk Scores

Understanding risk is a complicated proposition — you have to take the likelihood of every major incident into account, the severity and impact that incident might have on your business, as well as the consequences for those who depend on you.

Making those calculations can be difficult for any person, so risk scores can be attractive to business people who are concerned about risk, but who may be overwhelmed by their own security metrics.

But do risk scores provide you with information you need? What are they and what do they really tell you about your organization’s risk?

Analyzing Risk for Hundreds of Sites? Take a Look at our Aggregate Feature

What is a risk score?

A risk score is a way to quantify and qualify risk. Probably the most well-known risk score is the FICO credit score, which quantifies and qualifies the financial risk individuals pose to lenders, but there are other sorts of risk scores as well. Insurance companies use their own internal metrics to quantify and qualify risk, for example. Cyber risk scores use specific metrics to predict which companies are at risk of a breach and how bad it would be if an event were to happen.

Physical risk scores can be assigned as well, using systems such as the CARVER Matrix, which has military roots and assesses and ranks threats based on six factors: criticality, accessibility, recoverability, vulnerability, effect, and recognizability.

Probability vs Foreseeability: Why Security Professionals Need to Know the Difference

Do current risk scores work?

Yes and no. Risk scores can be used to compare the risk of several different facilities relative to their own organization. If an organization has 100 facilities, a risk score is a simple and effective way to compare those sites against one another. Ideally a good risk score will let you see, at a glance, which sites carry a lot of risk, and which are more secure.

But understand that this system will be subjective to your own internal metrics. If you use an external product that compares your facilities to other organizations, you risk comparing apples to oranges and getting bad information.

If you use a system like CARVER, you’re opening yourself up to a subjective interpretation of the matrix. I was once in a government sanctioned training course where three teams had to evaluate a water treatment facility using CARVER. Each team came up with a completely different score after assessing the facility. The teams then debated who was right for two hours. What actually resulted from the training was the realization that the current risk scoring system really did not meet expectations of the team members and community; they have not used the system since and continued to find an alternative solution.

If you want to understand your own risk, it’s best to understand the pros and cons of the risk scoring you are evaluating. You should consider the subjective nature of the tool, if the tool measures everything you want and need, and if you have the capability to make changes to reflect your own organization’s risk profile.

If that seems overwhelming, don’t worry; our platform can help you keep track of the risk metrics that are most important to your organization. Schedule your personalized demo today.