Selecting the right security controls can be a daunting task. By applying the principles of risk management, however, security managers can meet the challenge with confidence.
What is risk?
The easiest way to define risk is by examining the following formula:
Risk = Threats x Vulnerabilities x Impact
Reducing any one of the three factors—threats, vulnerabilities, impact—results in a significant reduction in risk.
A threat is any technological, natural, or man-made cause of harm to an information asset. Vulnerabilities are weaknesses in the security of an information system that might be exploited by a threat. Examples include programs that haven’t had patches applied, unlocked computer rooms, and weak or widely known passwords. A threat exploiting a vulnerability resulting in the partial or total loss of one or more business assets constitutes business impact (“Just Enough Security”, Erudio Security, 2006, ISBN: 141167541X).
From a mitigation perspective, the three factors are not equal in the effort required to reduce risk. It’s very difficult for a security manager to reduce threats. She has very little control over malware in the wild or how well law enforcement is doing in its efforts to stop criminal activities. Business impact is a little easier to mitigate. As we’ll see later in this article, financial impact can be softened with insurance coverage. The easiest way to reduce risk, however, is to implement controls to reduce vulnerabilities. Patching, anti-malware software management, and the implementation of proper access controls are just three approaches to vulnerability reduction.
What is risk management?
Risk management is about identifying risk, assessing the impact on your business if a security incident occurs, and making the right financial decision about how to deal with the results of your assessment. It also includes the implementation of a program to continually measure and assess the effectiveness of existing safeguards in protecting your critical assets. Managing risk is not a one-time activity; it’s an ongoing process. Figure 1 shows a Risk Management Cycle (“Just Enough Security”).
The first phase in the cycle is the execution of a risk assessment. The objectives of the assessment are to:
- Identify critical information assets
- Discover possible threats to the identified assets
- Identify vulnerabilities to the discovered threats and the associated probability of exploitation
- Calculate the risk associated with each asset
Risk can be evaluated using either a quantitative or a qualitative approach. Quantitative assessments use actual dollar amounts to provide a financially-based risk value. Qualitative assessments use scoring methods and the experience of employees and consultants to arrive at a risk score.
The quantitative approach is easier to present to executive management because it deals with actual numbers. However, it is very resource intensive. Attempting to calculate actual dollar values for business impact is difficult, if not impossible in many cases. A qualitative assessment is easier to perform, and although it might not provide hard dollar amounts, it should get you “close enough”.
Determining how to manage the identified risk is next. After you’ve calculated risk scores, they should be sorted from highest to lowest. This allows you to address the highest risks to your information assets first. There are essentially four ways to deal with each risk:
- Reject the Risk – Rejecting risk is the head-in-the-sand approach. Some managers tend to ignore difficult challenges with the hope that they will simply disappear. This approach will rarely result in a successful defense against security incidents.
- Accept the Risk – A common action to take is to accept the stated risk. For example, if the controls necessary to eliminate or mitigate key vulnerabilities are a greater financial burden than the actual risk impact, then it’s probably a good idea to use the security budget dollars in other areas.
- Transfer the Risk – An alternative to accepting higher than reasonable risk when the cost of controls is too high is to purchase insurance to lower the business impact of an incident. This is also a common risk management step.
- Mitigate the Risk – Risk mitigation typically focuses on vulnerability management. The reasonable and appropriate implementation of administrative, technical, and physical controls can serve to significantly reduce business risk.
Finally, it’s important to measure the results of the actions taken. Controls sometimes fail to work as expected and threats are a moving target. Only continuous vigilance through measurement and analysis can maintain risk at an acceptable level.
The final word
An important takeaway from this discussion is the understanding that the goal is rarely to reduce risk to zero. The cost is usually too high. Rather, the goal is to lower risk to a level acceptable by management and keep it there.
Tom is a security researcher for the InfoSec Institute and an IT professional with over 30 years of experience. He has written three books, Just Enough Security, Microsoft Virtualization, and Enterprise Security: A Practitioner's Guide (to be published in Q1/2013). Before joining the private sector, he served 10 years in the United States Army Military Police with four years as a military police investigator. He has an MBA and CISSP certification. He is also an online instructor for the University of Phoenix.