Measuring and Assessing Information Security Risk
At its heart, information security is the art of ameliorating risks to the information assets of an organization. Just like other functions of every organization, information security risks can never be fully mitigated while still keeping everything functioning. That means one must have the ability to assess the risks and prioritize them.
What is an information security risk?
Risks are simply the calculation of the likelihood of a threat or vulnerability being exploited and the adverse impact such an exploitation would have on the business. These threats and vulnerabilities do not need to be tied to any technical weaknesses, they could be threats against the company’s reputation, the safety of its personnel or customers, the ability to achieve company goals, etc. But for the purposes of this article, we’ll focus on technical risks to information since those are more straightforward to demonstrate and is where my expertise lies.
Every organization is different and therefore has a different risk profile. The best place to start is by identifying the critical assets and processes. You should also look at past incidents that occurred at your organization and similar organizations. Those past incidents can illuminate vulnerabilities which could lead to threats against your critical assets. A recent Microsoft breach is a scary example showing how layered vulnerabilities and lower priority systems can lead to a critical breach. Risk assessments cannot ignore these seemingly innocuous issues.
Once an organization has identified the critical assets to protect, you need to identify the threats against those assets. Threats can be internal or external and purposeful or accidental. Someone within the organization accidentally posting a sensitive file to the wrong data store is still a risk even if it is both internal and accidental.
For nearly all risks, the organization should do a root cause analysis (RCA) to ensure the strategy for dealing with it addresses the right issues. There are several RCA methodologies to choose from:
Five Whys - this is an informal, interrogative method. You ask why a problem has occurred and continue asking that why question for each subsequent answer. Eventually you will get to a root cause that needs to be addressed. The main issue with this method is its lack of structure. Without structure, it can be difficult to assess how the whole environment affects that risk.
Ishikawa Fishbone - this is a more structured approach asking how six different categories affect the cause of an event. Having those predefined categories to assess against along with the visual diagram can help all stakeholders understand the complex nature of your risk.
There are other methodologies but those are the ones I’ve found to be most useful for information security. An RCA can also feed into a corrective and preventative action (CAPA) plan. Not every risk needs something so formal, but for critical risks to the company a CAPA can ensure that the risk doesn’t reappear.
Quantitative vs. Qualitative
There are two ways of measuring risks: qualitative or quantitative. Qualitative is the easiest to approach and can be as simple as t-shirt sizing risks to the organization (small, medium, large, etc.). Quantitative is much more work to achieve but can yield precise results for high priority risks and will help in demonstrating the value of remediation versus acceptance.
The first step in performing a qualitative risk assessment is to determine which framework to use or if you even want to use one at all. There are three major risk management frameworks you can work off of:
COSO ERM - This is a widely used risk management framework that can be used to manage all types of risk including cybersecurity, financial, and operational risks.
ISO31000 - This is a family of standards aimed at organizations of all sizes. It treats risk management as an ongoing and integrated process which is tailored to the needs of each organization.
NIST CSF - This framework is specifically designed to protection information systems. It includes a detailed, seven step process for evaluating, managing, and monitoring risks.
If you are starting fresh at your organization or your organization is very small, I would suggest initially taking an informal route. Once you have a lay of the land you can determine what framework is best for you. If you know your issues are going to be purely technical, you can also do a simple gap assessment against something like CIS to point you in the right direction.
Quantitative risk assessments are complex and time-consuming so should be reserved for only the most critical risks. Look for assets that your organization cannot be without, those are generally the easiest to calculate a quantitative risk for. You need to be able to calculate the probability of exploitation of the risk (usually shown as the likelihood of occurring annually), the value of the affected asset to the organization, and the cost to clean up the incident. One method of doing this is Monte Carlo simulations which generate a set of random samples of outcomes against which you can calculate the risk to the organization.
Prioritizing Risks
Whether you have a subjective or objective rating for your risks, you will always have more than you can mitigate. It is up to senior leadership to set the risk tolerance for the organization. That risk tolerance will determine what risks are mitigated, which are accepted, which are transferred, and which are avoided. Before we can assess a risk against the risk tolerance though, we need several key data points: the likelihood of exploitation; the adverse impact to the organization if it were exploited; the cost to mitigate, transfer, or avoid the risk; are there regulatory requirements pertaining to the risk; and what adverse impact to the organization’s reputation would the exploit have.
It can be easy for an organization to ignore risks with a low likelihood of exploitation, but it is possible that the reputation hit for it happening could push the organization to remediate. You also don’t have to fully remediate every risk. With most threats there are ways of bringing the risk down to a tolerable level. For example, passwords are going away in favor of other authentication methods to prevent account takeover attacks. Those other authentication methods do not fully prevent account takeover attacks, but they can (if implemented properly) lower the risk to a level the organization can tolerate. Going one layer deeper, it is important to take into account what the organization is protecting with each account to determine the necessary level of authentication security (an email account will need less security than access to a database with credit card data, etc.).
Continual Assessments
The risk assessment process really never ends. An organization’s risk profile will evolve over time through means such as:
Changes in the technology powering the organization,
Outside threat groups finding new ways to exploit existing technology,
Changes in regulatory or contractual obligations, or
New priorities pushing the organization to reassess its risk tolerances.
The best way to react to changes like those is to have monitoring controls in place. For example, changes in outside threat groups can be watched by joining relevant interest groups such as your industry’s ISAC or monitoring changes in technology can be done by integrating the risk process into the technology delivery processes.
That last point is crucial to having a health risk management program. You need to integrate risk management into all processes in your organization. Teach all members of your organization how to think about the work they are doing through a risk lens. We all can have an impact on the risk profile of our organizations.