The terms "risk analysis" and "risk assessment" have become ubiquitous in today's business environment, yet there remains a level of uncertainty surrounding them. Companies that are not well-versed in information security principals may mistake a simple penetration test or vulnerability scanning for a risk analysis. Indeed many information security companies market basic vulnerability assessments as risk analysis. While a penetration test or vulnerability scan may provide an indication of vulnerabilities within a system, a risk analysis will offer more comprehensive data on which an organization can act. A comprehensive risk analysis provides the foundation for strong risk management.
Risk analysis can be defined as the systematic examination (and prioritization) of the assets of a company or network, the threats to those assets and the vulnerability of the organization or system to those threats. Certainly if one had an unlimited budget the installation of firewalls, intrusion detection systems, secure architecture, file integrity monitoring and the like could secure a network sufficiently to meet any relevant legal or industry standard. Reality dictates, however, that unlimited budgets are not to be found, especially in today's business environment. The question of how to most effectively allocate the scarce security dollar may best be answered through the use of a risk analysis.
The risk analysis should be the cornerstone of any comprehensive information security program. Performing regularly scheduled risk analyses accomplishes many tasks. Most obviously, it allows organizations to get an accurate picture of the threats at play in their specific business environment and the potential impact they may have. Secondly, a risk analysis is the starting point for determining how to prioritize and manage the risks to the organization. By detailing the threats and the risks they pose, an organization can determine which threats need to addressed most directly and allot resources accordingly. A detailed risk analysis also allows an organization to maintain a security posture that is commensurate to the risk posed to the organization's actual environment. By regularly conducting these analyses, and responding appropriately, the security program becomes a dynamic, living process that can maintain its viability within the organization.
Before discussing the various methods of risk management and risk analysis, it is imperative to have an understanding of the term "risk." The terms "threat", "vulnerability" and "risk" are often erroneously used interchangeably. A threat is defined as an event that has the potential to cause harm to the assets of an organization. A threat can derive from man-made sources or can be a naturally occurring event. A tsunami, for example is a naturally occurring threat. A vulnerability is a weakness or susceptibility to a threat. For example, homes built on flood plains are vulnerable to water damage resulting from the threat of catastrophic flood.
Risk is the likelihood of a particular threat affecting an organization expressed numerically (in terms of dollar value) or ordinally. Many organizations measure risk based on the expected annual loss that may derive from a particular threat. The equation (which assumes a total loss of the asset as opposed to the more likely situation in which the asset would be damaged but not destroyed) looks like this:
Single Loss Expectancy x Annualized Rate of Occurrence = Annualized Loss Expectancy
If, for example, the likelihood of a tsunami occurring in Georgia is 1/1,000,000 and the value of the asset to be protected is $5,000,000 then the ALE = (5,000,000*1/1,000,000) or $5 per year. More complex variations of the equation can be used to calculate loss expectancy using variable impacts but for the sake of brevity, they will not be covered in this article.
At this point, it might be appropriate to mention some risk mitigation strategies that can be employed by an organization. Three primary methods of risk mitigation are Reduction, Acceptance, and Transference. When most people think of risk management, they tend to think in terms of simply reducing the risk through the implementation of countermeasures. This is commonly referred to as risk reduction. The protections that are employed should be designed and implemented with an eye towards minimizing the risk to a point that is acceptable to the organization. The controls implemented must be commensurate with the risk posed to the organization. Appropriate controls and proper implementation serve to reduce the risk faced by the organization.
Accepting risk is also a recognized management strategy. If protecting against a particular threat was more costly than the potential annual loss that would result, a company may choose to simply do nothing to counter the threat. Their vulnerability to that risk is simply not great enough to justify the spending that would be necessary to reduce or transfer the risk. Using the example above, if the cost of protecting against a tsunami were greater than $5 per year, the company in Georgia would likely choose to accept that risk rather than pay the additional cost of protection.
The last method of risk mitigation is transference. As the name implies, this method places the financial burden of the risk on some entity other than the organization. In other words: insurance. For example, the risk of becoming seriously ill or getting injured is real enough that most people would not think of forgoing health insurance. The risk of becoming sick or injured is transferred to the health insurance company, which is then responsible for paying the medical bills, or some portion of the bills. Similarly, companies take out insurance to transfer the financial burdens of a disruptive or catastrophic event. So, to use our Georgia example, the company may decide that accepting the risk is not a viable strategy, yet may not want to accept the full risk of Tsunami damage which may result in the total loss of their assets. So, they may choose to secure Tsunami coverage from their insurance providers.
While these examples seem straightforward, it is important to remember that there are intangible elements that must be taken into account when determining how best to deal with risk. For example, if our company in Georgia produced Tsunami protection equipment, then that company may decide that the damage to their reputation in the event that there is a Tsunami far outweighs the monetary investment of implementing protections. In that case, they may decide that building an impenetrable Tsunami wall is the best way to manage that risk. Every company will have a different pain threshold that is determined by their primary line of business, their financial status, their reputation and countless other intangible variables.
The goal of a risk analysis is not to eliminate risk, rather to identify the risks present in a particular environment and prioritize those risks in a manner that allows management to address them sufficiently to manage risk within the organization. Risk can never be completely eliminated, only mitigated to levels that are acceptable to a particular company given a particular set of circumstances. While there exist a number of different methodologies for conducting risk analysis, in general there are two primary types of risk analysis; qualitative and quantitative.
A quantitative analysis is more objective, using dollar values as the basis for determining the amount of risk. This can be beneficial because it is, ostensibly, an objective measure. The major drawback to the quantitative analysis is that it is extremely resource intensive, requiring a large amount of preparatory work and complex calculations. The result is that this is often more time-consuming and expensive than is practicable for many companies.
The alternative is to undertake a qualitative risk analysis. This is a more subjective measure of risk, but when carried out properly, can often give a very accurate assessment of the levels of risk within which a company is operating and within which the company can operate. While this is less labor and time intensive, the quality of the assessment rests solely in the quality of the individuals assigned to the risk assessment team. Also, it is difficult to conduct meaningful cost benefit analysis on the basis of a qualitative risk assessment.
While the risk assessment is an integral part of determining the information security budget it serves another, equally important, role in the organization. Much of the new legislation, both nationally and internationally (EU Safe Harbor Act, for example) require organizations to conduct risk assessments on a regular basis and to implement security measures commensurate with that assessment. An excellent resource for information on risk analysis is the Peltier book, Information Security Risk Analysis .
Risk management is an ongoing, cyclical process. As the business environment changes, so too do the threats facing an organization, and the countermeasures that can be employed to address vulnerabilities. A one-time risk analysis is simply a snapshot of the environment in which an organization operates at a given point in time. Effective risk management re-quires ongoing evaluation and adaptation to the business, legal or security environment. The cycle of risk management should include assessment, implementing controls, evaluating controls, promoting awareness of risk, detecting attacks and responding to those attacks.