 ## Why the “Risk = Threat x Vulnerability x Impact” Formula is Mathematical Nonsense — Part 2

In my last post, I argued that security risk managers should stop using the “Risk = Threat x Vulnerability x Impact” formula (hereafter, the “R=TVC formula”), for two reasons. First, the variables “Threat” and “Vulnerability” are typically undefined; indeed, even the units of measurement for these variables are usually undefined. Second, the equation may actually be misleading and violate the axioms of probability theory and inductive logic. The formula does not help us to determine the expected value or utility of an action because it fails to take into account ALL of the potential outcomes — both positive and negative — of an action.

One possible response to my first argument is to define the variables “Threat” and “Vulnerability” as probabilities. For example, a U.S. Department of Energy (DOE)-commissioned report adopted the following definitions.

Threat: the probability that a person or group attempts an adversary action

Vulnerability: the probability that the adversary is not interrupted (by safeguards)

While this approach is to be commended for its clarity, I believe it is mathematically incoherent because it violates one of the axioms of the probability calculus. In this post, I will explain why.

The Probability Calculus

Probabilities obey certain rules or axioms that collectively are known as the probability calculus. The axioms of the probability calculus may be defined as follows.

(1)    If a statement X is a tautology, then its probability, Pr(X), is equal to 1.

(2)    If X and Y are mutually exclusive, then Pr(X & Y) = Pr(X) + Pr(Y).

(3)    Pr(X) >= 0.

(4)    Pr(X & Y) = Pr(Y) x Pr(X | Y), where the notation Pr(X | Y) means “The probability of X conditional upon Y.”

This last axiom is especially important since it introduces the concept of conditional probability. Conditional probabilities are useful because they provide a way to capture the impact of one statement, Y, on the probability of another statement, X. For example, let Y be the statement, “The next vehicle to drive by my house will be a blue or green car.” Let X be the statement, “The next vehicle to drive by my house will be a car.” If we know Y to be true, then we will know X to be true. In this case, Pr(X | Y) =1.

Conditional Probability and Independence

Using the fourth axiom of the probability calculus, it follows that conditional probability may be defined as follows.

(5)    Pr(X | Y ) = Pr(X & Y) / Pr(Y)

Using this definition, we can now define independence. X and Y are independent if and only if Pr(X | Y) = Pr(X).

An example should make this clear. Let X again be the statement, “The next vehicle to drive by my house will be a car.” Let Z be the statement, “A triangle has three sides.” The truth of Z is irrelevant to Pr(X); X and Z are independent events. In symbols, Pr(X | Z) = Pr(X).

Probability of Conjunctions

A conjunction may be loosely thought of as the union of two statements (or events), such as X & Y. The fourth axiom of the probability calculus defines the probability of conjunctions.

(4)    Pr(X & Y) = Pr(Y) x Pr(X | Y)

If and only if X and Y are independent, then it is possible to simplify this formula to Pr(X & Y) = Pr(X) x Pr(Y).

The R=TVC Formula Incorrectly Assumes Threat and Vulnerability Are Independent

We are now in a position to see why the R=TVC formula violates the fourth axiom of the probability calculus. Here are the DOE definitions of threat and vulnerability again.

Threat: the probability that a person or group attempts an adversary action

Vulnerability: the probability that the adversary is not interrupted (by safeguards)

Let us begin by, in each of these definitions, distinguishing the events from their probabilities.

Threat (T): a person attempts an adversary action

Pr(T): the probability of T

Vulnerability (V): the event that the adversary’s attempted attack is not interrupted (by safeguards)

Pr(V): the probability of V

Thus, the R= TVC formula may be rewritten as follows.

(6)    Risk = Pr(T) x Pr(V) x Consequence

By multiplying Pr(T) and Pr(V), it follows that the R=TVC formula implies that T and V are independent. Thus, (6) may be rewritten as

(7)    Risk = Pr(T & V) x Consequence

As should be clear from my earlier discussion, however, T and V are not independent. According to the fourth axiom of the probability calculus,

(8)   Pr(T & V) = Pr(V) x Pr(T | V)

T is necessary for V; event V can never happen without event T also happening. In plain English, if an adversary does not attempt an attack, there is no attack for safeguards to interrupt. It follows, then, that Pr(T | V) = 1. Substitute 1 for Pr(T | V) to get

(9)    Pr(T & V) = Pr(V)

This result will be of no surprise to philosophers, since it is an example of what is sometimes called the logical consequence rule: when Y entails X, Y is logically equivalent to X & Y.  Using this result, we may simplify (7) as follows.

(10) Risk = Pr(V) x Consequence

But if we substitute the right-hand side of (6) with the left-hand side of (10), we get

(11) Pr(T) x Pr(V) x Consequence = Pr(v) x Consequence

That equation would be correct if and only if Pr(T) were equal to 1. But that is absurd; Pr(T) does not (necessarily) equal 1. It follows, then, that the  R=TVC formula leads to self-contradictory results.

### One Comment

1. Fella Jul 16, 2013 at 6:11 pm | Permalink

Your analysis of the probability calculus here is correct, however you have made one crucial error prior to applying the calculus: you have misinterpreted the phrase “the event that the adversary’s attempted attack is not interrupted”. By using the definite article, the phrase pre-supposes that a)an adversary exists and b)the adversary has attempted an attack. As such, the phrase “the probability of the event that the adversary’s attempted attack is not interrupted” should be interpreted as a conditional probability (i.e. Pr( V | T)). Then, when the multiplication is done, we get the desired joint probability (i.e. Pr( V & T) = Pr(T)Pr(V | T))