Regardless of the industry an organization is in, or the information security management framework it uses, it is more than likely required to perform a risk assessment. This is often a major pain point and source of confusion for many organizations, since the term risk assessment can take on various meanings depending on the context. Even the word "risk" may mean different things to different people. This guide will provide clarification on these topics and much more.
In order to conduct a risk assessment, is it important to understand what the word "risk" is referring to within the context of information security. The words threat, vulnerability, and risk are often used interchangeably in everyday parlance, however within the context of information security these terms have distinct meaning. A vulnerability is a weakness to an organization's information security. A threat is a danger that may exploit a vulnerability. The parties that represent a threat, and carry out the exploitation of a vulnerability are commonly referred to as threat agents. Risk is the impact of a threat exploiting a vulnerability factoring in the probability of that event will happen. This can be expressed as:
Impact of a Threat Event x Probability of Event Occurrence = Risk
For example, a computer running anti-virus software whose virus definitions are out of date represents a vulnerability, whereas a malware infection represents a threat. If the impact of this event is perceived to be catastrophic and very probable of happening, then this would represent a critical risk. However, if the impact of this event were perceived as minimal, and not very likely of happening, then this would represent a low risk.
The terms risk assessment and risk analysis describe related, but different activities. A risk assessment is the process of identifying all of the threats and vulnerabilities and their related impacts and probabilities. Essentially, this is the organization answering the question, "What can go wrong?" A risk analysis evaluates the findings uncovered during the risk assessment. Typical activities performed during a risk analysis include:
There are numerous different types of threats as well as vulnerabilities that an organization must identify. While every organization exists in a unique threat environment, there are many common threats and vulnerabilities present to most organizations.
Threats may be human or non-human and may originate internally or externally. For example, some common threats/threat agents include, but are not limited to:
As stated previously, vulnerabilities are weaknesses present within an organization that may be exploited. It is critical that vulnerabilities are properly identified, since vulnerability management is within the control of the organization, whereas it has little to no control over the threats that it faces. Common vulnerabilities include, but are not limited to:
Two common approaches toward risk analysis are quantitative and qualitative. A quantitative risk analysis attempts to assign a monetary costs associated with a threat agent exploiting a vulnerability. A qualitative risk analysis uses descriptors to categorize risks. For example, a hierarchical scheme may be used such as high, medium, and low risks for prioritization. Both methods have their benefits, so an organization must determine what method is appropriate for their unique situation.
While there are a multiple ways of determining monetary values associated with risks, there exist some key concepts that are considered fundamental when performing a quantitative risk analysis. These key concepts are:
SLE is calculated using the following formula:
Value of the Asset x Exposure Factor = SLE
ALE is calculated using the following formula:
SLE x ARO = ALE
For example, if the value of an asset is $10,000, and a company anticipates that a specific threat event will cost 25% of the asset's value, than the single loss expectancy is $2,500. If the ARO is 0.5, meaning the event will happen once every two years, than the annual loss expectancy would be calculated by taking the $2,500 SLE multiplied by 0.5, or $1,250. These values are extremely useful for an organization, since they can be used to identify high impact risks, prioritize risks, and provide management with specific values to make decisions from.
This type of risk analysis is useful since it provides a high-level perspective of the risks an organization faces. While there are many different ways assign values to impact and probability, a common scheme is to apply high, medium, and low to each factor. These values can be used to construct a matrix that may look like this:
|
Impact |
||
Probability |
Catastrophic |
Serious |
Minimal |
Imminent |
High Risk |
High Risk |
Medium Risk |
Likely |
High Risk |
Medium Risk |
Low Risk |
Unlikely |
Medium Risk |
Low Risk |
Minimal Risk |
This matrix can be used as a decision tool for management. For example, an organization may say that high and medium risks must be addressed in some manner to reduce the level of risk to an acceptable level.
There are numerous methodologies published to help guide an organization through the risk assessment and risk analysis process that vary in terms of complexity and scope.
One of the most popular methodologies, this publication provides guidance for performing risk assessments of all scope sizes. From organizational wide assessments down to application specific assessments, this methodology outlines techniques for threat and vulnerability identification, control analysis, probability and impact determination, as well as requirements for reporting the results of risk assessments.
This methodology is helpful when an organization has implemented an information security management system using the ISO/IEC 27001 standard. While it provides very similar guidance to the NIST publication, ISO/IEC 27005 has more of a focus on the softer side of information security, emphasizing the need for documentation, human resources, and training.
Risk assessment and risk analysis must be a continuous process since an organization's threat environment is constantly evolving. This will enable an organization to mitigate risks to an acceptable level by identifying additional controls that may need to be implemented, or determine other actions that the organization may be able to take to address risk. Risk assessment and risk analysis is critical to developing and maintaining a secure organization, since it forces organizations to recognize and address risks, as well as enables them to correctly allocate resources to most effectively reduce risk.