Which is better: One major control that is 95% effective OR 4 minor controls each of which is 60% effective?
In applying ISO/IEC 27001:2013 to an information security management system (ISMS) one of the requirements in Clause 6.1.3.c) states: 'Compare the controls determined in 6.1.3 b) above with those of Annex A and verify that no necessary controls have been omitted.' All too frequently Certification Body Auditors find that this requirement, which is about risk management, results in a one-to-one relationship between applicable threats and control to address the risk arising. While this may be accepted by the Auditor it is a lousy, poor way to manage risk. The Swiss Cheese approach is far superior.
In the fields of both Aviation Safety and Occupational Health & Safety the Swiss Cheese Model, originally proposed by an Englishman, James Reason, has a long and proven record of effectiveness in managing risk. The model and its application is very well explained in this YouTube Video on Aviation Safety.
The Swiss Cheese Approach
In the Swiss Cheese model of risk management, each control to reduce risk is represented as a slice of cheese. The holes in the slice represent weaknesses in individual parts of the system and are continually varying in size and position across the slices. The system produces failures when a hole in each slice momentarily aligns, permitting (in Reason's words) "a trajectory of accident opportunity", so that a hazard passes through holes in all of the slices, leading to a failure.
So, let's consider the question in the sub-title. Having established through risk assessment and evaluation that risk reduction measures (i.e. controls) are required, what approach should we take?
a) One major control that is 95% effective
Here the chance of failure of the control is 5 in 100 (or 5%). Or to put it another way...
With one major control in place, the chances of successfully controlling the risk are 95.0%
b) Four minor controls each of which is 60% effective?
In this case, we need to combine the individual chance of failure to evaluate the combined effect of the four controls. Consider how the risk of failure decreases as we add each of the four controls.
Remembering that each is 60% effective, the chance of failure is the remaining 40%.
So, with one control in place, the chance of failure is 40%.
With two controls in place, the chance of failure is 40% x 40%. That is 16%.
With a third control in place we get 40% x 40% x 40%. That is, 6.4 %
And add in the fourth control, we get 40% x 40% x 40% x 40%. Giving us a 2.56% chance of failure.
Therefore, with four minor controls in place, the chances of successfully controlling the risk are 97.4%.
Robust Protection against Failure
The robustness of the protection provided by the four minor controls is greater. Consider, if the one major control fails there is zero protection remaining. But if one of the four minor controls fails a 93.6% chance of successfully controlling the risk remains.
But be careful
There are two implicit assumptions in the Swiss Cheese approach to risk management for you to be aware of...
Firstly, or the multiple controls to be effective they must be independent of one another. An example would be, say, three controls each requiring an electricity supply to maintain their protection. Here one adverse event, a power loss, would knock out all three controls and the assumed protection of three controls would not accrue. To put it bluntly: you'd be kidding yourself!
Secondly, we can reliably predict the level of risk reduction a control will provide. We can't. Only by monitoring the performance of a system over time can we confirm the risk reduction achieved. This is a powerful argument for using combinations of controls.
The combination of risk controls provides a higher level of protection and, wherever possible, the use of single control to reduce risk should be avoided.. A combination of controls will almost certainly prove more robust and more effective in the long run.
NOTE: This post was first published in February 2017 and has now been revised and updated.
- ISO 14971: Choosing the Right Risk Management Tool
- ISO 14971 Risk Management: 12 FAQs answered
- ISO 14971 - FMEA alone is not enough
- ISO 45001 requires Risk Management & not just Risk-based Thinking
- ISO 13485 Requires Risk Management & Risk-based Thinking
deGRANDSON Global is an ISO Certified Educational Organization
We have chosen ISO 21001 certification because, unlike IRCA and Exemplar badges (which in our opinion are commercially compromised), it is based on independent third-party assessment. It is a ‘university grade’ standard in use globally by schools, colleges, and universities to demonstrate their competence.