Risk management plays a crucial role in helping organizations protect and secure their information assets. Effective risk management programs are a significant component of any IT security program. This article will discuss the role of risk management, including the identification, assessment, prioritization and diffusion of risks.
Risks, Threats & Vulnerabilities
Risk is often confused with other related terms and concepts. The lines between risks, threats and vulnerabilities are sometimes confused. Further, the terms “risk assessment” and “vulnerability assessment” are frequently used interchangeably, though they have very different applications.
The term “risk” is defined as the impact that could result from vulnerability, or the effect of uncertainty on an organization’s objectives. This could lead to a positive or negative result. In this context, risks generally impact the integrity, confidentiality and availability of information. This also includes the probability of being targeted by an attack, the likelihood the attack will be successful and the impact of the occurrence. Risks may result from economic uncertainty, project difficulties, legal liabilities, accidents or natural disasters.
The process of risk management identifies risk, assesses it and considers methods through which to reduce risk. Risks are related to threats and vulnerabilities, as discussed below. Risks are a function of the likelihood of a threat to exercise a particular vulnerability.
Threats are the source as well as the means of a particular attack. Threats may be grouped into three categories:
- Natural: this includes natural disasters such as earthquakes, avalanches, tornadoes, electrical storms, etc.
- Human: these are events enabled or caused by people, for instance unintentional actions or deliberate actions (e.g. network-based attacks, malware uploads, unauthorized access to sensitive information).
- Environmental: these include long-term power outages, pollution, liquid leakage, etc.
Threat assessments are carried out in order to identify the best practices for protecting a system against a specific threat or group of threats. Threat analyses result in the developing of security policies that reflect realistic implementation needs.
Vulnerabilities are the security flaws in a system that would allow an attack to be perpetrated. Vulnerabilities may be technology-based, or arise from social factors, such as an authentication process and authorization policy. Vulnerability testing is one way to identify and resolve these system weaknesses. This process also provides data to identify unexpected threats that must be corrected. Vulnerability testing enables an organization to maintain and update security programs, allowing the organization to efficiently respond to new threats as they arise. Testing also contributes to policy and technology development for the organization. For instance, it can help shape the technology selection process and reduce unnecessary expenditures.
Risk Assessment is…
In basic terms, risk assessment refers to the process of identifying, classifying, determining probability and associating controls to each risk. Such assessments help organizations determine the priority of security breaches that must be immediately addressed. Risk assessments outline the most critical as well as the most likely dangers. They also evaluate risks against each other, in terms of the cost of control and probability of occurrence. Risk assessment focuses on the following core areas:
- Data collection
- Analysis of policies and procedures
- Threat analysis
- Vulnerability analysis
- Correlation and assessment of risk acceptability
There are two main types of risk assessment: quantitative and qualitative. Qualitative risk assessment involves looking at the severity, impacts and mitigation plans for each risk. They look at risks in terms of high, medium and low probability and impact of occurrence. Such assessments depend on the quality of registering and updating risks over the course of a project. The information recorded in qualitative assessments is then used in future projects. Qualitative risk assessment can also serve as the basis for quantitative risk assessment.
Quantitative risk assessment focuses on completing a project within a given time frame and on budget. Such assessments measure risk in statistics, dollars and formulas. For instance, a quantitative assessment may look at important project parameters, the project success rate, viability of alternatives and more.
Security management depends on the basic risk assessment formula:
risk = threats x vulnerabilities x impact
In the above equation, threat refers to a frequency, vulnerability refers to a binary of yes or no, and impact is the cost, or dollar amount of a risk. If any of the values (threat, vulnerability or impact) is zero, then the risk is also zero. This formula is especially important when trying to distinguish the concept of risk from other closely related concepts. Thus, any statement of risk must include the three components: threat, vulnerability and impact.
The most important component of this formula is the risk. In order for there to be any level of risk, there must be some threat, vulnerability or impact present. In most situations, it is impossible to say there is absolutely no threat or vulnerability, thus it is necessary to measure each component separately. Arguably, the first component to address is vulnerability, as it is usually the area in which an organization has the greatest control.
Risk Assessment is not…
Risk assessments evaluate risks by considering vulnerabilities and uncertainties. However, risk assessments are often confused with threat assessments, vulnerability scanning, penetration testing and security reviews. These concepts and their applications are discussed and differentiated below.
Threats are the source of a means by which an attack may be carried out. Threat assessments determine the best approach for protecting a system from threats. Threat assessments are concentrated on analyzing the attacker’s resources, while risk assessments aim to analyze the potential for the organization’s resources to be the focus of an attack.
Penetration testing concentrates on assessing threat profiles, in order to develop responses to potential attacks. There are two main categories of penetration testing: testing with knowledge and testing with zero-knowledge. In a knowledge test, the tester plays the role of an employee and has basic access to and knowledge of the network and systems. In a zero-knowledge test, the tester simulates an external attack and has no prior knowledge of the systems or network.
Vulnerability scanning looks at all the devices on a network that may be open to vulnerabilities. It may be important for organizations to run vulnerability scans, as these are often used by attackers in order to gather information or access a network. This form of data analysis is also referred to as network reconnaissance.
A security review may be conducted in order to determine how an organization should protect information resources and assets. An information security strategy should result from the security review. The review generally consists of three steps:
- Identify and classify assets that are held or managed by the organization.
- Identify vulnerabilities that may put these assets at risk.
- Identify controls that can address the vulnerabilities.
Controlling & Managing
Risk mitigation refers to strategies for reducing risk to the organization’s objectives. While it may not be possible to address all threats, it is important to prioritize the possible threats according to the potential harm a threat may cause. In order to do so, an organization may apply any of the following strategies:
- risk assumption: accept the risk, but attempt to lower it to a tolerable level
- risk avoidance: avoid the risk through elimination of the cause
- risk limitation: limit the risk by introducing controls that minimize harm
- risk planning: create a risk mitigation plan to prioritize, limit and maintain control
- risk transference: transfer risk by finding other ways to compensate for losses (e.g. insurance)
Residual risk refers to the risk that remains after new or enhanced controls have been implemented. No control can successfully reduce the risk of a system to zero, since there is no risk-free system. There must always be some residual risk. This is determined through the formula:
Inherent Risk – Control = Residual Risk
In the formula above, inherent risk refers to the amount of risk linked to the activity itself. “Control” refers to the amount of risk that a specific control mitigates. Controls can help to mitigate risk by:
- Reducing the number of flaws or errors in the system
- Adding a targeted control
- Reducing the magnitude of impact
This article discusses risk, risk identification, risk mitigation and risk management. Risk is determined through the basic formula: risk = threats x vulnerabilities x impact. It also discusses and differentiates closely related concepts, such as threats and vulnerabilities. The article then compares risk assessment with threat assessment, vulnerability scanning, penetration testing and security reviews. Despite the implementation of controls to mitigate risk, some risk will continue to remain in a system. This is known as residual risk and is determined through the formula: inherent risk – control = residual risk.
Foundations Exam Preparation
In preparation for the Foundations exam, a privacy professional should be comfortable with topics related to this post, including:
- Information risk management (I.B.)
- Privacy impact on organizational risk (I.B.a.)