Cybersecurity is all about understanding, managing, controlling and mitigating risk to your organization’s critical assets. Whether you like it or not, if you work in security, you are in the risk management business.
To get started with IT security risk assessment, you need to answer three important questions:
- What are your organization’s critical information technology assets — that is, the data whose exposure would have a major impact on your business operations?
- What are the top five business processes that utilize or require this information?
- What threats could affect the ability of those business functions to operate?
Once you know what you need to protect, you can begin developing strategies. However, before you spend a dollar of your budget or an hour of your time implementing a solution to reduce risk, you should be able to answer the following questions:
- What is the risk you are reducing?
- Is it the highest priority security risk?
- Are you reducing it in the most cost-effective way?
These questions get to the heart of the problem — that it is all about risk.
What is Risk?
Risk is a business concept — is the likelihood of financial loss for the organization high, medium, low or zero? Three factors play into risk determination: what the threat is, how vulnerable the system is, and the importance of the asset that could be damaged or made unavailable. Thus, risk can be defined as follows:
Risk = Threat x Vulnerability x Asset
Although risk is represented here as a mathematical formula, it is not about numbers; it is a logical construct. For example, suppose you want to assess the risk associated with the threat of hackers compromising a particular system. If your network is very vulnerable (perhaps because you have no firewall and no antivirus solution), and the asset is critical, your risk is high. However, if you have good perimeter defenses and your vulnerability is low, and even though the asset is still critical, your risk will be medium.
There are two special cases to keep in mind:
- Anything times zero is zero. If any of the factors is zero, even if the other factors are high or critical, your risk is zero.
- Risk implies uncertainty. If something is guaranteed to happen, it is not a risk.
Here are some common ways you can suffer financial damage:
- Data loss. Theft of trade secrets could cause you to lose business to your competitors. Theft of customer information could result in loss of trust and customer attrition.
- System or application downtime. If a system fails to perform its primary function, customers may be unable to place orders, employees may be unable to do their jobs or communicate, and so on.
- Legal consequences. If somebody steals data from one of your databases, even if that data is not particularly valuable, you can incur fines and other legal costs because you failed to comply with the data protection security requirements of HIPAA, PCI DSS or other compliance
Now let’s walk through the risk assessment procedure.
Step #1: Identify and Prioritize Assets
Assets include servers, client contact information, sensitive partner documents, trade secrets and so on. Remember, what you as a technician think is valuable might not be what is actually most valuable for the business. Therefore, you need to work with business users and management to create a list of all valuable assets. For each asset, gather the following information, as applicable:
- Support personnel
- Mission or purpose
- Functional requirements
- IT Security policies
- IT Security architecture
- Network topology
- Information storage protection
- Information flow
- Technical security controls
- Physical security environment
- Environmental security
Because most organizations have a limited budget for risk assessment, you will likely have to limit the scope of the project to mission-critical assets. Accordingly, you need to define a standard for determining the importance of each asset. Common criteria include the asset’s monetary value, legal standing and importance to the organization. Once the standard has been approved by management and formally incorporated into the risk assessment security policy, use it to classify each asset you identified as critical, major or minor.
Step #2: Identify Threats
A threat is anything that could exploit a vulnerability to breach security and cause harm to your organization. While hackers and malware probably leap to mind, there are many other types of threats:
- Natural disasters. Floods, hurricanes, earthquakes, fire and other natural disasters can destroy much more than a hacker. You can lose not only data, but the servers and appliances as well. When deciding where to house your servers, think about the chances of a natural disaster. For instance, don’t put your server room on the first floor if your area has a high risk of floods.
- System failure. The likelihood of system failure depends on the quality of your computer For relatively new, high-quality equipment, the chance of system failure is low. But if the equipment is old or from a “no-name” vendor, the chance of failure is much higher. Therefore, it’s wise to buy high-quality equipment, or at least equipment with good support.
- Accidental human interference. This threat is always high, no matter what business you are in. Anyone can make mistakes such as accidentally deleting important files, clicking on malware links, or accidentally physical damaging a piece of equipment. Therefore, you should regularly back up your data, including system settings, ACLs and other configuration information, and carefully track all changes to critical systems.
- Malicious humans. There are three types of malicious behavior:
- Interference is when somebody causes damage to your business by deleting data, engineering a distributed denial of service (DDOS) against your website, physically stealing a computer or server, and so on.
- Interception is classic hacking, where they steal your data.
- Impersonation is misuse of someone else’s credentials, which are often acquired through social engineering attacks or brute-force attacks, or purchased on the dark web.
Step #3: Identify Vulnerabilities
Third, we need to spot vulnerabilities. A vulnerability is a weakness that a threat can exploit to breach security and harm your organization. Vulnerabilities can be identified through vulnerability analysis, audit reports, the NIST vulnerability database, vendor data, commercial computer incident response teams, and system software security analysis.
Testing the IT system is also an important tool in identifying vulnerabilities. Testing can include the following:
- Information Security test and evaluation (ST&E) procedures
- Penetration testing techniques
- Automated vulnerability scanning tools
You can reduce your software-based vulnerabilities with proper patch management. But don’t forget about physical vulnerabilities. For example, moving your server room to the second floor of the building will greatly reduce your vulnerability to flooding.
Step #4: Analyze Controls
Analyze the controls that are either in place or in the planning stage to minimize or eliminate the probability that a threat will exploit vulnerability in the system. Controls can be implemented through technical means, such as computer hardware or software, encryption, intrusion detection mechanisms, and identification and authentication subsystems. Nontechnical controls include security policies, administrative actions, and physical and environmental mechanisms.
Both technical and nontechnical controls can further be classified as preventive or detective controls. As the name implies, preventive controls attempt to anticipate and stop attacks. Examples of preventive technical controls are encryption and authentication devices. Detective controls are used to discover attacks or events through such means as audit trails and intrusion detection systems.
Step #5: Determine the Likelihood of an Incident
Assess the probability that a vulnerability might actually be exploited, taking into account the type of vulnerability, the capability and motivation of the threat source, and the existence and effectiveness of your controls. Rather than a numerical score, many organizations use the categories high, medium and low to assess the likelihood of an attack or other adverse event.
Step #6: Assess the Impact a Threat Could Have
Impact analysis should include the following factors:
- The mission of the system, including the processes implemented by the system
- The criticality of the system, determined by its value and the value of the data to the organization
- The sensitivity of the system and its data
The information required to conduct an impact analysis can be obtained from existing organizational documentation, including a business impact analysis (BIA) (or mission impact analysis report, as it is sometimes called). This document uses either quantitative or qualitative means to determine the impact that would be caused by compromise or harm to the organization’s information assets.
An attack or adverse event can result in compromise or loss of information system confidentiality, integrity and availability. As with the likelihood determination, the impact on the system can be qualitatively assessed as high, medium or low.
The following additional items should be included in the impact analysis:
- The estimated frequency of the threat’s exploitation of a vulnerability on an annual basis
- The approximate cost of each of these occurrences
- A weight factor based on the relative impact of a specific threat exploiting a specific vulnerability
Step #7: Prioritize the Information Security Risks
For each threat/vulnerability pair, determine the level of risk to the IT system, based on the following:
- The likelihood that the threat will exploit the vulnerability
- The impact of the threat successfully exploiting the vulnerability
- The adequacy of the existing or planned information system security controls for eliminating or reducing the risk
A useful tool for estimating risk in this manner is the risk-level matrix. A high likelihood that the threat will occur is given a value of 1.0; a medium likelihood is assigned a value of 0.5; and a low likelihood of occurrence is given a rating of 0.1. Similarly, a high impact level is assigned a value of 100, a medium impact level 50, and a low impact level 10. Risk is calculated by multiplying the threat likelihood value by the impact value, and the risks are categorized as high, medium or low based on the result.
Step #8: Recommend Controls
Using the risk level as a basis, determine the actions that senior management and other responsible individuals must take to mitigate the risk. Here are some general guidelines for each level of risk:
- High— A plan for corrective measures should be developed as soon as possible.
- Medium — A plan for corrective measures should be developed within a reasonable period of time.
- Low — The team must decide whether to accept the risk or implement corrective actions.
As you consider controls to mitigate each risk, be sure to consider:
- Organizational policies
- Cost-benefit analysis
- Operational impact
- Applicable regulations
- The overall effectiveness of the recommended controls
- Safety and reliability
Step #9: Document the Results
The final step in the risk assessment process is to develop a risk assessment report to support management in making appropriate decisions on budget, policies, procedures and so on. For each threat, the report should describe the corresponding vulnerabilities, the assets at risk, the impact to your IT infrastructure, the likelihood of occurrence and the control recommendations. Here is a very simple example:
You can use your risk assessment report to identify key remediation steps that will reduce multiple risks. For example, ensuring backups are taken regularly and stored offsite will mitigate the risk of accidental file deletion and also the risk from flooding. Each of these steps should have the associated cost and should deliver real benefit in reducing the risks. Remember to focus on the business reasons for each improvement implementation.
As you work through this process, you will get a better idea of how the company and its infrastructure operates and how it can operate better. Then you can create risk assessment policy that defines what the organization must do periodically (annually in many cases), how risk is to be addressed and mitigated (for example, a minimum acceptable vulnerability window), and how the organization must carry out subsequent enterprise risk assessments for its IT infrastructure components and other assets.
Always keep in mind that the information security risk assessment and enterprise risk management processes are the heart of the cybersecurity. These are the processes that establish the rules and guidelines of the entire informational security management, providing answers to what threats and vulnerabilities can cause financial harm to our business and how they should be mitigated.