I. Overview
II. Scope
III. About the author
1 Introduction
2 Risk management
2.1 Framing risk
2.2 Assessing risk
2.2.1 Risk assessment process
2.2.2 Risk models
2.1.2.1 Threat
2.1.2.2 Vulnerability
2.1.2.3 Likelihood
2.1.2.4 Impact
2.1.2.5 Aggregation
2.1.2.6 Uncertainty
2.2.3 Risk assessment approaches
2.2.3.1 Quantitative
2.2.3.2 Qualitative
2.2.3.3 Hybrid
2.2.4 Risk analysis approaches
2.2.4.1 Threat oriented
2.2.4.2 Asset oriented
2.2.4.3 Vulnerability oriented
2.3 Responding to risk
2.4 Monitoring risk
3 Preparing for the risk assessment
3.1 Purpose
3.2 Scope
3.3 Assumptions
3.4 Information sources
3.5 Roles and Responsibilities
4 Conducting the risk assessment
4.1 Risk assessment scope
4.2 Risk Assessment Process
4.2.1 Collect information
4.2.2 Identify systems or processes at risk
4.2.3 Evaluate the likelihood of harm occurring
4.2.4 Evaluate the impact
4.2.5 Determine risk for the item
4.2.6 Investigate options for eliminating or controlling risks
4.2.7 Prioritize action and decide on control measures
4.2.8 Implement controls
4.2.9 Measure the effectiveness of implemented actions
4.3 Assessing risks at organizational level
4.4 Assessing risks at the business process level
4.5 Assessing risks at the information system tier
4.6 Communicating risk information
Implementing a best practice risk assessment involves a risk assessment methodology describing how to perform Information Technology risk assessments. Risk assessments play a critical role in the development and implementation of effective information security programs and help address a range of security related issues from advanced persistent threats to supply chain concerns.
The results of risk assessments are used to develop specific courses of action that can provide effective response measures to the identified risks as part of a broad-based risk management process.
The guidance provided here uses the key risk factors of threats, vulnerabilities, impact to missions and business operations, and the likelihood of threat exploitation of weaknesses in information systems and environments of operation, to help senior leaders and executives understand and assess the current information security risks to information technology infrastructure. The risk assessment guidance has been designed to have maximum flexibility so the process can meet the needs of many types of companies.
The risk assessment guidance is consistent with the process for managing information security risk described in NIST Special Publication 800-39 that includes framing risk, assessing risk, responding to risk and monitoring risk over time risks to the organization’s operations (including missions, functions, image, and reputation), the organization’s critical assets, individuals who are part of the organization or who the organization serves, other entities involved in partnerships or collaborative efforts with the organization, and the Nation at large (including critical infrastructure). The guidance also supports a three-tier (Tier 1 - organization level, Tier 2 - mission/business process level, and Tier 3 - information system level) enterprise-wide risk management approach which focuses on the organization’s governance structures; the organization’s core missions/business functions, mission/business processes, and enterprise architecture; and the organization’s information systems that are essential for mission/business success. Copies of Special Publication 800-30, Revision 1, can be obtained from the NIST Computer Security Division web site at: http://csrc.nist.gov/publications.
This risk assessment methodology identifies how organizations can classify the inherent risks that it may face. The document further gives insights on how risk assessment helps in company planning, improves risk management processes and outlines the steps involved in risk assessment, including communicating risk assessment results to everyone involved and maintaining the standards of risk assessment
Eric Vanderburg is a graduate from Kent State University with a Bachelor of Science in Technology and a Masters of Business Administration with a concentration in Information Systems. During and after his education he worked as a consultant specializing in the development and maintenance of information management and network security systems for businesses, law firms, and government agencies. He has worked in education as a professor of computer networking at Remington College where he taught courses on information security, database systems, and computer networking and as a professor of computer information systems at Lorain County Community College.
Eric Vanderburg has been invited to speak at many organizations and campuses on technology and information security. Vanderburg was awarded an honorary Ph.D from Vatterott College in 2010 for his work in raising awareness of information security and promoting security and technology education. He holds over 30 vendor certifications including: Certified Information Systems Security Professional (CISSP), Holistic Information Security Practitioner (HISP), Certified Wireless Security Professional (CWSP), Hitachi Data Systems Certified Professional (HDSCP), and many certifications from Microsoft and Cisco.
It is highly important for an organization to understand the key risks involved in doing business in order to avoid compromising integrity and confidentiality of the data present on systems or handled by the company. With many threats introduced every day, I recommend that the person filling the risk management role at a company should be on top of the threats and vulnerabilities and document risks. The latter is accomplished primarily through risk assessments.
Risk assessments inform the decision makers and other stakeholders about the possible threats on business processes. It also describes when the risk is possible to strike the functioning of the business and the methods to overcome the same. Companies should conduct and adapt risk assessment at levels ranging from organizational level to business process level to information system level. Once risk assessment is ready, I recommend that a company implement risk management methodologies that include designing, implementing, testing and monitoring security guidelines. The most important audience for risk assessment framework is people who are responsible for risk management, security analysts, developers, designers and managers.
Risk management involves four important steps. They are:
1. Framing risk
2. Assessing risk
3. Responding to risk
4. Monitoring risk
The first step is the most important step since it defines what the risk is and how the risk may impact the organization’s activities. When risks are framed, it becomes easier for an organization to assess the risk and monitor the same to avoid unwanted problems. Once framing risks is completed, it is necessary to assess the impact of risk on the existing applications and organizational data. Risk assessment process provides results that help prevent business failures. Assessing the risk will also help in identifying when the risk might occur and possible repercussions of the risk. The third step is also an important one as it determines what actions an organization takes to overcome the risks. It also includes the preventive measures that can be taken in order to prevent the risk from damaging the system. Possible solutions to overcome risks are to identify alternative solutions for the requirement, identify methods to overcome risk and implementing security practices. When all of these steps are completed, the fourth step – monitoring risk - plays a vital role since it determines when the risk will strike again. This will also determine the effectiveness of actions taken to prevent and overcome risks.
With four steps listed above, let’s concentrate on the second one, risk assessment, as it provides necessary precautions for organization to tackle risks. Once risks are assessed, they need to be communicated to the entire team. This can prevent risks from being introduced at level of ownership.
Risks are likely to occur in of the following phases of software process including development of new software service, interconnecting various networking and information systems, designing and implementing security solutions along with maintenance of security solutions, integrity and authorization processes. The most important point to remember with respect to risk assessment is the time period for which it is valid. As said above, the advent of new technologies have also resulted in development of new threats. Hence, a risk assessment valid today might not be valid tomorrow. This makes it a time bound process and needs to be repeated at shorter duration of time.
Before delving deep into risk assessment, let’s understand the basic terminologies associated with risk and its impacts on organization. Risk is defined as the measure of threat that an organization possess in terms of integrity and confidentiality of the business processes. I recommend that risks should be analyzed along with the extent of threat it poses and the likelihood of its occurrence. When these data are analyzed and documented in proper standards, it is called risk assessment. A risk assessment framework should include four important components:
1. Risk assessment process
2. Risk model
3. Assessment approach
4. Analysis approach
Risk assessment is a process by which the risk and its associated components are analyzed. Risk model defines the various factors associated with the risk and the assessment approach defines the various values that are used during the analysis of risk. Analysis approach provides user with information related to coverage of various processes under risk management. The four components mentioned above will determine the risk assessment methodology of organization. The other factors that help in determining this methodology are the time frame available for the business to implement the solution, the complexity of the risk and the impact of risk on existing processes, the modules that are affected and the sensitivity of the information that will be compromised. Hence, it is the responsibility of the information technology analysts to identify the proper risk analysis approach, assessment approach to determine risk management methodology.
Risk models are the various risk factors that will determine the relationships of the risk factors and their impact on the functioning of the business. The risk factors are also used in communicating the risk details to other members at various levels of organization. The risk model consists of:
1. Threat
2. Vulnerability
3. Likelihood
4. Impact
5. Aggregation
6. Uncertainty
It is important to understand the various sources of threats so as to formulate risk assessments. The various sources of threat include physical attacks, source code error, structural failures etc.
Risk is closely associated with vulnerability as the latter is defined as a weakness in applications that will give rise to risk in security controls and procedures. Vulnerabilities occur when the security protocols have not been applied completely or when they are applied only partially. Also, there is the possibility for a new vulnerability to be introduced when an application is in use for a longer period of time.
Apart from causing damage to organization data, vulnerabilities can also cause damage to organizational governance and external relationships. Vulnerabilities when combined with threats results in risks. The threat scenarios help an organization to analyze the various areas of threats so that preventive action can be carried out when needed. There are some vulnerability that are exploited only when some other vulnerabilities occur and this is where a threat scenario comes into action as it presents information on the origin of the threat.
Likelihood is the possibility of the occurrence of a risk factor, given the vulnerabilities and threats. The adversary threats can be measured using adversary intent, capability and targeting. When the threat is not adversarial, their likelihood can be measured using past evidences and other factors that will contribute to the threat. Some threats are also capable of repeating itself over a certain period of time and such threats are easily determined for likelihood.
There are three steps in determining the likelihood of a threat event. In the first step, organization will analyze the likelihood of events getting initiated followed by the likelihood of causing trouble to the assets and other valuable resources of organization. These steps are followed by the analysis of likelihood of combination of initiation and impact of threats. Since there are possibly large number of threats and vulnerabilities, it is difficult for the threat vulnerability pairing to take place.
Impact is defined as the extent to which risks and threats cause destruction to the integrity, credibility and confidentiality of the data present at various levels of the organization. It is necessary for the business process to analyze the impact of the threats and risks along with methods for communicating the same to the team members. These factors play a vital role in the risk model as it summarizes the entire process of initiating a threat source to causing organizational risk. A threat source is first identified along with the various characteristics such as intent and capability of the threat. The threat source initiates the threat event based on the likelihood analysis. The threat event possesses sequence of steps ranging from actions to scenarios that exploits the vulnerability present in the application. These scenarios cause adverse impact in organization causing risks that will damage the confidentiality and integrity of the data.
Aggregation is defined as combining various low-level risks to form a single high-level risk. This will help organization to manage the risk assessment techniques that will manage the information systems and processes. There are cases when the risk assessment at the initial stage will not be the same at later stage. Hence the impact of the risks on organization goes beyond the expected level forcing managers to take immediate action to minimize damage. When the defects have direct relationship with others, they will be aggregated.
There is a level of uncertainty in the calculation of risk and this uncertainty is attributed to various factors. The most important of them are inability to completely predict the future when compared with the past and incorrect knowledge on the impacts of the threats. The other factors include unidentified threats and vulnerabilities along with incorrectly calculated dependencies. Uncertainty can also be caused due to incomplete knowledge of various risks that are associated with the information and security systems that are already employed within organization. When risk assessment is analyzed and is shared with the team, I recommend that the uncertainty due to the above reasons should also be communicated.
There are three major approaches for risk assessment. They include the quantitative approach, qualitative approach and hybrid approach. There are various factors that come into picture when of the above three approaches are selected by organization for their risk assessment. Every approach has its set of advantages and disadvantages and it depends on the organization’s work culture and historical evidences in selecting the approach.
Quantitative risk assessment approach employs principles, rules and techniques which will assess risks in the form of numbers. Even though this method will help in cost benefit analysis of organization, the interpretation of results and numbers make it a tougher option for the managers. The head of organization may question the results of the assessments as the numbers are not expected to give valid justification for the research as the quantitative assessment tends to be assigned based on the assessor’s perception and not a definitive number.
Qualitative assessments use methods and tools to produce results of risk assessments in the form of levels or severity. The common example of qualitative results is the use of levels such as low, medium, high and very high etc. The advantage of using such approach is its simplicity in communicating the risks to the product owners but the disadvantage lies in the fact that only fewer values can be used for declaring the results.
[...]
