Defining Risk and Risk Management
Risk
Risk is an intersection between asset, vulnerability and Threat. Risk is probability of realization of a threat.
The combination of the probability of an event and its consequences are known as Risk.
There are many types of Risks available such as; Enterprise Risk, Regulatory Risk, Financial, Reputational, Conduct, Environmental, Management, Technology, Operational, legal risk.
Strategic Risk:
Risks that results directly from specific industry or organization at a specific time frame.
Example of strategic risk is failure to upgrade a system after obsolete. Using old devices or obsolete devices lead to attacks.
Compliance Risk:
Compliance Risks are legislative, regulatory, statutory risks based on standards and practices.
Standards such as ISO/IEC 27001, NIST, HIPPA, SOX, GDPR etc.
Operational Risk:
The Risk resulting from inadequate or failed internal processes, people and systems or from external events is known as operational risk.
Example:-
Human Error, Fraud, IT system Failure, Management Problem, Commercial disputed, Accidents.
Technology Risk:
Risk resulting from failures in technology or data or applications that negatively impact the business.
Example:-
Website crashing, Security incident due to data theft, virus attack, etc.
Business Risk:
This is real-time identification of risks or red flags in controls in a business.
Example:-
Inaccurate finance data, Financial data leakage, Fraudulent transactions etc.
Information Security Risk:
Information Security Risk is a sub set of Technology Risk. The risk to organization operations, assets, individuals due to unauthorized access, use, disclosure, disruption, modification or destruction of information and information system by outsiders.
There are two types of risk analysis method used known as Qualitative Risk analysis and Quantitative Risk analysis.
Quantitative Risk analysis
Quantitative Risk analysis focuses on numerical evaluation of risks. It is performed to understand the probability and impact of risks. The main benefit is it results measurable data and is very helpful during Business Impact Analysis (BIA).
Qualitative analysis uses data such as historic records, past experiments, industry practices and test data.
Qualitative Risk analysis
In qualitative risk analysis, it is the process of evaluating risk considering their probability of occurrence and impact. Qualitative analysis is simple and used frequently where risk level is low.
The risk rating comes with values such as Very High, High, Moderate, Low and Very low.
Risk Assessment
The evaluation of the possibility of a threat or vulnerability existing. The below steps are done during a risk assessment.
- Identify Critical Asset or Resource.
- Identify relevant risk in terms of vulnerability and threat.
- Perform Impact Analysis on basis of quantitative and qualitative approach.
- Prioritize risk and document.
- Risk treatment.
Risk Management
Risk Management is about taking decision and actions to address uncertain outcomes or risks. Information Security risk management is the process to identify, evaluate, treat risks across the organization.
Risk Management is the identification, evaluation, and prioritization of Risks.
As per NIST 800-37 standard, Risk Management Framework states, step by step process for risk management.
1. Categorize Information System
2. Select Security Controls
3. Implement Security Controls
4. Assess Security Controls
5. Authorize Information System
6. Monitor Security Controls
Risk Management is important in an organization because without it, an organization can not define its objective for the future.
Steps to manage risks are as mentioned below;
- Identification of Assets: During this first step, it is to count all the information systems, software, hardware, services, people, records, procedures.
- Evaluation: Based on the criticality of asset and its importance to business operation assets can be evaluated. It can be noted as Low, Medium, and High. The CIA Triad may be followed (Confidentiality, Integrity and Availability)
- Risk Assessment: Carry out risk assessment and perform impact analysis based on quantitative and qualitative approach. Document the outcomes of assessment such as name of risk owner, implemented controls, asset value, level of threat, level of vulnerability and impact to the organization. A risk matrix table can be prepared.
- Risk Treatment: The final step is to mitigate the risks or reduce the risks based on selection of appropriate security controls and risk treatment plan (RTP).
Below is the Risk Assessment Formula (Sample)
SLE X ARO = ALE
Similarly
Cyber Risk = Threat X Vulnerability X Information Value
ALE: Annual loss expectancy. This is a measure to identify how much loss a organization could expect in a year (Financial value).
SLE: Single loss expectancy and it donates how much organization can expect to lose at any one time.
ARO: Annualized rate of occurrence. It is outcome of historical data of a event occurring within a year.
What do you mean by Risk Acceptance?
Risk Acceptance is a strategy in dealing with risk in which it is finalized a best approach to accept the risk and its consequences. Means you understand the risk and you decide not to do anything about it.
Risk Register:
Risk Register in an tool for risk analysis used during IT/ Enterprise/ Financial Risk Management. It holds all the identified risks within a organization.
It contains:
- All identified risks
- Risk Category
- Likelihood of occurrence
- Impact
- Risk ownership details
- Response Plan
Risk Treatment:
After identification of risks, the actions and steps are known as risk treatment. Several options of risk treatment are there such as:
- Avoid
- Transfer
- Response
- Reduce
- Accept
- Mitigate
- Prevent
- Control
- Share
Steps for Risk Treatment:
Below are the basic steps for carrying out a risk treatment plan.
- Identify risks and treatment options.
- Develop a plan
- Document the details & approach
- Accountability/ Ownership
- Timelines for resolution
Industry frameworks for risk management:
There are large number of publicly available frameworks for security risk management.
NIST 800-30 (CSF): Cyber Security Framework
This is published by National Institute of Standards and Technology (NIST) and is largely used by govt. organizations, defense sectors, etc. This is available freely on web.
ISO/IEC 31000:
Published by International Standards organization and is available on license basis is the parent standard that provided overall guidelines and principles to manage many different types of risks in a systematic, transparent and reliable manner.
Threat:
Any condition that could cause harm, loss, damage or compromise to an asset are known as threats.
Example:-
Phishing attack, Password stolen, Virus attack
Vulnerability:
Any weakness in the system design, implementation, software code are known as vulnerabilities. A security vulnerability is a weakness, flaw or error found in a security system.
For example:-
Broken authentication, Misconfiguration, Poor encryption, Unpatched task, Week password
-DR