8. Risk Management

Posted byNicoPosted inUncategorizedTags:

A risk is the potential for harm or loss.

  • What could happen? (Threat)
  • How bad can it be? (Impact)
  • How often might it happen? (Frequency)
  • How certain are the answers to the first the questions? (Uncertainty)

Risk management is an approach to manage uncertainty through risk assessment, strategy, and risk mitigation.

Every organization must manage risk. Information security is only one type of enterprise risk. Check laws, react, identify organization goals, analyze, manage plans, then implement.

A risk assessment is just a step in risk management. It is an integral part of an organization’s information security risk management program. To identify the risk the assessment focuses on asset valuation, threat analysis, and a vulnerability assessment.

Frameworks and methodologies with security controls to be familiar with that can be used to structure controls are:

  • COSO
  • ITIL
  • COBIT
  • ISO 27002: 2013
  • ISO 27005 and 31000
  • NIST SP 800-30, 800-39, and 800-661
  • MEHARI
  • EBIOS
  • IRAM
  • OCTAVE

There are many types of risks such as strategic, financial, organizational, technological, operational, and legal.

Before a risk assessment can be made, how do you determine a risk?

  • 1. Identify a method
  • 2. Determine the risk acceptance criteria
  • 3. Identify the acceptable risk levels.

How is the risk assessment performed?

  • Make a high-level evaluation performed to identify the highest risks that justify a detailed evaluation.
  • The second phase can consist in an in-depth evaluation of the risks discovered in the first phase.

How do you determine a vulnerability? First we need to understand what a vulnerability is. A vulnerability is a weakness in a control, or lack of control, that puts an entity at risk. Here are a few examples:

  • Administrative control – No pre-employment screening.
  • Technical control – Anti-virus not up-to-date.
  • Physical control – No fire suppressant in room.

We must also understand what a threat is. A threat is something that looks to take advantage of a vulnerability and brings potential danger to valuable assets. A threat agent is an entity that is taking advantage of a vulnerability.

There are 3 types of threats in cybersecurity to be aware of:

  • Deliberate (malicious) threat – Gaining unauthorized access. A malicious employee downloading a virus.
  • Accidental threat – Employee sending an email containing controlled unclassified information.
  • Natural threat – Hurricanes, floods, tornadoes, etc. Someone setting a fire.

Analyze the threat. Find the areas in a company that are of interest to an attacker. What are the consequences of the threat is successful at exploiting your vulnerability? How likely can this occur? All assets bring value and have potential to be harmed. You can do this by organizing it by the following:

  • Threat source – Who are your potential threats? Organized crime,  activists, etc.
  • Capabilities (0-5) –  How IT trained is the source? Talk to key security personnel to gain this intel.
  • Motivation (0-5) – How interested are they in your organization?
  • Total threat score

Let’s break down why this is important. We mentioned an asset brings value to a company. Tangible assets are like computers. Intangible assets would be like intellectual property.

Value determines the assets worth. To note, does not only mean financial. Can be something important to your company like trade secrets.

Exposure is the materialization of a threat against your company’s assets.

Exposure factor is the loss percentage of the asset would be exploited by this threat.

This leads to the level of impact on the organization. (Value × Exposure Factor = Impact)

Then you think of the probability this threat would likely take place.

Risk exposure then is calculated by Probability × Impact = Risk Exposure.

With this information a control can be created. A control is a safeguard or countermeasure put into place to mitigate risk.

A manager may use a quantitative risk analysis as a monetary approach to the analysis. This approach is often automated and can be used to prove a cost-benefit analysis. But this approach takes high effort and time to create and still requires some assumptions.

The quantitative formula consists of single loss expectancy (SLE) and annualized rate of occurrence (ARO) to determine the annualized loss expectancy (ALE).

SLE – Financial loss an exposure would have on a certain asset. (Impact)

ARO – Estimated probability of a specific exposure over one full year.

ALE – Amount of loss over the full year.

So, SLE × ARO = ALE.

A manager may use a qualitative risk analysis. This approach does not attempt to assign financial values. The challenge of this approach is to develop real scenarios to describe threats and predict potential losses.

Overall, once a risk is assessed there’s are 4 risk treatment options. It can either be mitigated, accepted, assigned, or avoided. Rejecting a risk is not accepted.

If risk is being mitigated, it is calculated using a cost-benefit analysis by subtracting ALE before safeguard – ALE after safeguard – Cost of safeguard = Value of safeguard. This helps management understand if overall the mitigation will save the company money or not.

Now we know how to manage risk and understand what we need to do to keep it at a low level. Go out there and protect those assets!

Leave a comment

Design a site like this with WordPress.com
Get started