Security Risk Management

Risk management is an important part of securing today’s information assets.  Security has moved from the fringes of technology to take its place alongside other critical business activities.  And like other business activities, the resources expended on the people, processes, and technology necessary to protect an organization’s information infrastructure must be justified in terms of return on investment (ROI). 

In this article, we’ll explore the fundamentals of risk management as it applies to information security.

What is Risk?

We encounter risk every day.  There’s the risk associated with making a financial investment.  There’s the risk of hiring the wrong persion to manage a key operation.  Risk can also involve something as simple as making a left turn at a busy intersection.  Although each of these situations occurs within a unique context, they all have something in common; they can all be generally defined by a simple formula:

Risk = Threats x Vulnerabilities x Impact

A closer look at this formula shows that the elements of threats, vulnerabilities, and impact are multipled together to arrive at the risk level.  So reducing any one of the three will significantly reduce risk.  Let’s examine our left turn example.

While making our turn, oncoming traffic is a threat.  Vulnerabilities might include visibility restrictions on you or other drivers, not wearing a seatbelt, or operating a vehicle that has a low impact safety rating.  The impact on you or your family if an accident occurs increases with factors such as having family members in the car or the size of your insurance deductible.

The lack of oncoming traffic eliminates threats.  Since the threat factor in our formula drops to zero, the result of the formula is zero.  Wearing your seatbelt or ensuring you use your headlights when appropropriate reduces your vulnerabilities.  Finally, reducing your deductible might lower the financial impact of an accident.  But how do the elements of risk apply to information assets?

Information assets include information, in any form, upon which an organization places value.  These assets may include databases, programs, and the components of your network as well as information on paper.  Also included is your most important asset – your people.  A malicious hacker attempting to access your financial data, a virus that might corrupt production information, and a hurricane are all examples of threats against these assets.

Within the context of information security, a threat is any technological, natural, or man-made cause of harm to an information asset.  Vulnerabilities are weaknesses in the security of an information system that can be exploited by a threat.  Examples include programs that haven’t had security patches applied, unlocked computer rooms, and weak or widely known passwords.  A threat exploiting a vulnerability resulting in the partial or total loss of one or more business assets consitutes business impact.

Eliminating threats to information resources is difficult, if not impossible.  We have very little control over the actions of malicious hackers, malicious code moving across the the Internet, or the unintentional destruction of an asset by a trusted employee.  Similarly, reducing impact to zero might mean that the assets involved had little or no value to begin with.  This leaves vulnerabilities.  Eliminating or minimizing vulnerabilities is usually the most effective way to maintain acceptable levels of risk to the confidentiality, integrity, and availability of your information assets.

Risk Management

Risk management is about identifying risk, assessing the impact on your business if a security incident occurs, and making the right financial decision about how to deal with the results of your assessment.  It also includes the implementation of a program to continually measure and assess the effectiveness of existing safeguards in protecting your critical assets.

Managing risk is not a one time activity; it’s an ongoing process.  Figure 1 depicts the Risk Management Cycle.

Risk Management Cycle  Figure 1 (Click on graphic to enlarge)

The first step in the cycle is to conduct a risk assessment.  A risk assessment identifies:

  • Critical information assets
  • Potential threats
  • Vulnerabilities
  • The risk level associated with each asset

The risk assessment is followed by an evaluation of the risks identified.  The first evaluation task is the prioritization of the various risks.  During the prioritization process, the assets with the highest risk levels should be assigned the highest priority.  The final evaluation activity is the identification of safeguards, and associated costs, to reduce each system risk to an acceptable level.

Next, management selects and implements the appropriate approach to managing each risk.  Risk management is based on the premise that risk can probably never be reduced to zero; the cost would be too high.  Rather, management’s goal should be to address specific risks in one of the following ways:

  • Reject
  • Accept
  • Transfer
  • Mitigate

Rejecting Risk

By rejecting risk, a manager is saying that he doesn’t believe the risk exists.  So he does nothing.  This is the head-in-the-sand approach.  Ignore it, and maybe it’ll go away.  This is a dangerous way to deal with potential negative business impact.  If used as a general approach to dealing with security issues, rejection of risk exposes the organization to a host of threats.

Accepting Risk

Accepting risk might seem the same as rejecting risk, but it’s actually much different.  When a manager performs a security safeguard cost/benefit analysis, she might discover that the cost of mitigating the risk is greater that the probable impact on the business.  In such cases, it’s a better business decision to accept the risk and spend her security dollars in more effective ways. 

Transferring Risk

Once a manager decides to deal with the risk, there are two approaches.  He can either transfer or mitigate it.  Transferring risk is most often accomplished by purchasing insurance to cover some or all of the cost of a security incident.

Mitigating Risk

Mitigation involves the implementation of security safeguards across people, processes, and technology in a reasonable and appropriate manner such that risk is reduced to an acceptable level. 

Once the assessment and management steps are complete, you should measure the effectiveness of your risk management efforts.  The metrics used should be simple and meaningful. 

Maintaining a completely secure network is a security manager’s dream; or should I say fantasy.  As the time-tested saying goes, the only completely safe network is the one that is powered off.  Risk management is about using business principles to reduce your organization’s risk so that a single security incident won’t cripple or destroy the business.  With each security investment, there should be a corresponding value sufficient to show ROI.  In some cases, as with regulatory mandates, this might be difficult.  But the principle of “reasonable and appropriate” should still prevail.

Author: Tom Olzak

Resources:

Governing for Enterprise Security

Managing risk as important as avoiding it

Security Means Managing Risk

Your email:  
subscribe unsubscribe  

Leave a Reply

You must be logged in to post a comment.