An overview of risk management

Risk, according to NIST [1], is the "net negative impact of the exercise of a vulnerability, considering both the probability and the impact of occurrence." To simplify, risk refers to the potential for loss, harm, or damage that results from uncertainty or exposure to threats. In the context of information security, risk is the likelihood and impact of a security incident that could result in harm to an organization's information assets, such as data breaches, unauthorized access to sensitive information, or system disruptions.

Risks in information security can arise from a variety of sources, including cyber-attacks, human error, natural disasters, and technology failures. Organizations must continually assess the potential risks to their information assets and prioritize their efforts to mitigate these risks.

Risk is typically measured in terms of two factors: the likelihood that a particular risk will occur, and the impact that the risk would have if it did occur. Organizations can then use this information to prioritize their risk mitigation efforts and make informed decisions about the allocation of resources to information security.

Managing Risk

To ensure organizations function effectively and without disruption due to security breaches, we must identify the potential risk and attempt to prevent it, rather than react to an event when it happens. In other words, we need to manage risk.

Risk management in the context of information security refers to the process of identifying, assessing, and prioritizing potential threats and vulnerabilities to an organization's information assets, and implementing measures to mitigate or eliminate these risks. This involves a systematic approach to protecting information systems, networks, and data from unauthorized access, misuse, theft, or destruction.

The goal of information security risk management is to reduce the likelihood and impact of security incidents, and to ensure that the organization is prepared to respond to such incidents effectively. This may involve implementing a range of security controls, such as firewalls, encryption, access controls, and incident response plans.

The Risk Management Process

Assets refer to any valuable component of the organization, including information, systems, networks, and personnel, that need to be protected from unauthorized access, use, disclosure, disruption, modification, or destruction.

Threats refer to any event, action, or circumstance that could potentially cause harm to the assets, such as cyber attacks, natural disasters, and human error.

Vulnerabilities refer to weaknesses in the systems, processes, or practices that can be exploited by threats to cause harm.

At a high-level, the risk management process involves the following:

1. Assets, their potential threats, and existing vulnerabilitiesare are identified
2. Resulting risk is analyzed
3. Treatment/countermeasures are implemented

Countermeasures refer to the treatment or mitigation strategies that are put in place to reduce or eliminate the risks. Countermeasures can include technical solutions, such as firewalls and intrusion detection systems, as well as administrative and physical controls, such as access control policies and physical security measures. The purpose of countermeasures is to reduce the likelihood of a threat occurring and to minimize the impact if a threat does occur.

Risk Management Components

The components of risk management can vary depending on the specific approach or methodology used, but in general, a comprehensive risk management program includes the following components:

1. Risk Identification: The process of identifying potential risks and threats to an organization's information assets, including internal and external risks.
2. Risk Assessment: The process of evaluating the likelihood and impact of each identified risk, and determining the potential consequences of a security incident.
3. Risk Control: The process of developing and implementing strategies to reduce the likelihood or impact of risks, such as implementing security controls, contingency planning, and incident response planning.

1-Risk Identification

Risk identification is the first step in a comprehensive risk management program. It involves identifying the potential risks and threats to an organization's information assets, including both internal and external risks. The goal of risk identification is to identify as many potential risks as possible, so that they can be effectively evaluated and managed.

As a first step, organizations must identify their information assets. By identifying relevant assets, organizations can better understand the information and systems that need to be protected, and can more effectively evaluate the potential risks and threats to these assets. Assets can include a wide range of information and systems, such as the ones shown in the table below:

Table 8.1: Asset Categories

Data classifications are used to categorize data based on its level of sensitivity and the level of protection required. The specific classifications used can vary between organizations, but some common classifications include:

1. Confidential: Confidential data is sensitive information that must be protected from unauthorized access, use, disclosure, disruption, modification, or destruction. Examples of confidential data include financial information, personal information, trade secrets, and intellectual property.
2. Private: Private data is information that is not intended for public distribution, but may not cause harm if it is accidentally disclosed. Examples of private data include personnel files and internal reports.
3. Sensitive: Sensitive data is information that should not be disclosed to unauthorized individuals, but is not as critical as confidential data. Examples of sensitive data include marketing plans and product development information.
4. Public: Public data is information that is not restricted and can be freely shared. Examples of public data include press releases and public records.

The specific classifications used, as well as the definitions and criteria for each classification, can vary between organizations. It's important for organizations to clearly define their data classifications and ensure that all employees understand and follow the established guidelines.

The process of identifying relevant assets typically involves conducting a comprehensive inventory of the organization's information and systems, and then categorizing these assets based on their level of sensitivity and importance to the organization. A sample inventory can be seen in the table below:

Asset prioritization is the process of determining the relative importance of different assets to the organization. This is an important aspect of asset identification because it helps organizations to focus their risk management efforts on the assets that are most critical to the organization and that pose the greatest risk.

The process of asset prioritization involves evaluating the value of each asset to the organization, as well as the potential impact to the organization if the asset is compromised or lost. Assets with a high value to the organization and a high potential impact are considered to be high priority and are given the greatest level of protection. The table below show sample impact matrix which helps in asset prioritization:

Weighted Factor Analysis (WFA) is one tool that we can use to prioritize assets based on their relative importance or criticality to an organization. WFA works by assigning a weight to each factor that is considered important in the assessment of an asset, and then using these weights to calculate a score for each asset.

Consider the example shown in the tables below:

1. We have four assets and three factors
2. We assign weight to each factor
3. The total weight of all factors must be equal to 100
4. In step 1, we determine the impact of a particular asset against a particular factor on a scale from 0 to 1 (i.e., 0% to 100% impact)
5. In step 2, we multiply the determined impact with the factor weight
6. We finally add up to get the total weighted score of each asset
7. In this example, Asset 1 has the highest score and thus the highest priority

2-Risk Assessment

Risk assessment is the process of evaluating the likelihood and potential impact of specific threats to an organization's assets. It involves analyzing the assets and the threats that they face, and determining the risk level associated with each. This information is then used to prioritize risk mitigation activities and make informed decisions about how to allocate resources.

The objective of risk assessment is to provide a clear understanding of the current security posture of an organization and the threats that it faces. It helps organizations determine the risk that their assets face, including the likelihood of a threat occurring and the potential impact it could have. The results of risk assessment are used to inform decisions about risk mitigation, including resource allocation and prioritization.

Risk assessment is typically performed using a combination of quantitative and qualitative methods, including vulnerability scans, penetration testing, threat modeling, and interviews with subject matter experts. The results of these assessments are then combined to produce a comprehensive view of the risks faced by an organization.

In order to be effective, risk assessments must be conducted on a regular basis and be updated to reflect changes in the organization's environment and assets. This helps organizations stay ahead of potential threats and continuously improve their security posture.

Threats to information security can be categorized in different ways, but the groups shown in the table below are common:

For risk to exist, threats alone are not enough. In many cases, at least one corresponding vulnerability needs to be present. The table below shows specific threats and a possible sample vulnerability:

Vulnerability Assessment: One way to discover vulnerabilities in our assets, is by conducting a vulnerability assessment. Vulnerability assessment is the process of identifying and evaluating the vulnerabilities in an organization's information systems, infrastructure, and network. The goal of vulnerability assessment is to identify potential security weaknesses in the systems and to prioritize and mitigate these weaknesses in order to reduce the risk of a security breach.

Vulnerability assessment typically involves the use of automated tools (e.g., Nessus from Tenable) and manual techniques to identify vulnerabilities in the systems, including software, hardware, and network components. This information is then analyzed to determine the likelihood of a vulnerability being exploited, the potential impact if the vulnerability were exploited, and to prioritize mitigation efforts.

Risk is a function of likelihood and impact:

Likelihood is a measure of the probability that a particular threat will occur. It represents the chance or frequency of a specific threat event happening in a given time period. Likelihood is used in risk assessment to determine the probability of an occurrence.

Likelihood is expressed as a numeric value between 0.1 (low) and 1.0 (high), or a percentage between 1% and 100%. When the likelihood is ZERO (0), then, by definition, there is no Risk.

Impact is a measure of the consequences or effects of a threat event on an organization. It represents the extent of damage or harm that would result if the threat were to materialize. Impact can be measured in a variety of ways, including financial losses, disruption to operations, harm to reputation, and loss of sensitive information or intellectual property. In risk assessment, impact is used to determine the overall level of risk posed by a threat to an organization's assets. The impact of a threat is usually expressed as a value on a scale, such as high, medium, or low, or as a numerical score. A high impact indicates a significant potential for harm, while a low impact indicates a minimal potential for harm.

Risk prioritization is a sub-process of risk identification that deals with determining the order in which risks should be addressed based on their likelihood of occurring and the potential impact they could have on the organization. The goal of risk prioritization is to allocate resources effectively by focusing on the risks that pose the greatest threat to the organization.

In some texts, you might find risk prioritization as a standalone process. As mentioned above, risk is a function of likelihood and impact. The risk equation is shown below:

Risk prioritization helps organizations make informed decisions about where to allocate resources and prioritize risk mitigation efforts. By prioritizing risks, organizations can ensure that they are focusing on the most critical risks and making the most effective use of their resources. This can help organizations reduce the overall risk to their assets and ensure that they are better prepared to respond to potential security threats.

Let us build on the sample data we used before to determine the respective risks:

1. We have four assets
2. After conducting a vulnerability assessment, we identified one threat and one associated vulnerability for each asset
3. We also determined the likelihood of a successful breach for each vulnerability
4. During the risk identification phase, we used WFA to determine the impact of each asset
5. Risk is calculated based on the equation above

The detailed example is shown in the table below:

Next, we will rank the calculated risks (i.e., prioritize them)

1. Asset 1 (highest priority)
2. Asset 3
3. Asset 4
4. Asset 2 (lowest priority)

As mentioned above, risk prioritization helps prioritize risk control efforts.

3-Risk Control

Risk Control is the process of developing and implementing strategies to reduce the likelihood or impact of risks, such as implementing security controls, contingency planning, and incident response planning. The goal of risk control is to reduce the overall level of risk faced by an organization, by mitigating or eliminating the sources of risk, or by reducing the impact of security incidents.

There are several strategies that can be used to control risk:

1. Avoidance: This involves avoiding activities or situations that pose a risk to the organization's information and systems. This strategy is typically used when the risk is too high, or the consequences of a risk materializing are too severe.
   Example: Deciding not to install or use a software application that has known security vulnerabilities, in order to reduce the risk of a security incident.
2. Mitigation: This involves implementing measures to reduce the likelihood or impact of a risk. This can include implementing security controls, procedures, and processes, or reducing the scope of activities that pose a risk to the organization.
   Example 1: Implementing firewalls and network security devices to prevent unauthorized access to sensitive information and systems.
   Example 2: Providing regular security awareness training to employees to help them understand the importance of secure behavior.
3. Transfer: This involves transferring the risk to another party, such as an insurance company. This strategy is typically used when the cost of mitigating a risk is too high, or when the consequences of a risk materializing are too severe.
   Example 1: Purchasing cyber insurance to transfer some of the financial risk of a security incident to an insurance company.
   Example 2: Outsourcing IT security functions to a third-party service provider.
4. Acceptance: This involves accepting the risk and choosing not to implement any measures to reduce it. This strategy is typically used when the risk is low, or when the cost of mitigating the risk is too high.
   Example: Deciding to accept a certain level of risk associated with using a particular technology, such as cloud computing, despite the potential for security incidents.
   Example 2: Choosing not to implement certain security controls because of the cost and effort involved, with the understanding that the risk of a security incident will be higher as a result.

Risk control is an iterative process that involves continuous monitoring and review of risks and risk mitigation measures. This allows organizations to respond to changes in the threat environment, and to ensure that their risk mitigation measures remain effective over time.

References

---

[1] NIST Risk Management Framework
[2] ISO/IEC 27005:2022: Guidance on managing information security risks

case study
Protecting Confidential Information in a Healthcare Organization
Problem

A healthcare organization had confidential information stored on their network systems, including patient medical records and financial information. Despite the organization having several security measures in place, such as firewalls and antivirus software, they still encountered numerous data breaches. The breaches resulted in the loss of sensitive information and damage to the organization's reputation, leading to increased regulations and financial losses.

Solution

The organization hired a consultant to conduct a comprehensive risk assessment of their information security system. The assessment revealed that the current security measures were insufficient and that additional controls were necessary to protect confidential information. The consultant recommended implementing a risk management program that included the following steps:

1. Asset Identification: The consultant identified all assets that contained confidential information, including servers, laptops, and mobile devices.
2. Threat Identification: The consultant analyzed the potential threats to these assets and categorized them according to their impact on the organization.
3. Risk Assessment: The consultant evaluated the likelihood and impact of each threat and assigned a risk score to each. This helped the organization prioritize their efforts and allocate resources where they were most needed.
4. Risk Mitigation: Based on the risk assessment, the consultant recommended implementing technical and administrative controls to reduce the likelihood of data breaches. This included upgrading the firewall, implementing encryption for sensitive data, and increasing employee training on information security.
5. Risk Monitoring: The consultant recommended establishing ongoing monitoring and reporting to ensure that the security controls were effective and that any new threats were quickly identified and addressed.

Results

After implementing the risk management program, the healthcare organization experienced a significant reduction in data breaches and a significant improvement in the protection of confidential information. The organization's reputation was restored, and they were able to comply with increased regulations. The organization also saw a reduction in costs associated with data breaches, as well as improved efficiency due to the implementation of more effective security controls.

Case Study Questions

Attempt to answer the following questions before revealing the model answers:

1. Why was the healthcare organization experiencing data breaches despite having security measures in place?
2. What was the purpose of conducting a risk assessment?
3. What steps were taken to mitigate the risks to confidential information?
4. What were the results of implementing the risk management program?

Show Model Answers

Assignment
Risk Management
Scenario

Your organization is a medium-sized retail company that operates both online and offline. Your company stores and processes sensitive information of its customers and employees, including names, addresses, phone numbers, emails, and payment information. Your company is looking to improve its information security posture and you have been tasked with conducting a risk identification and assessment process.

Additional information to consider:

1. Customer orders are processed online through the company's web application
2. Order and customer data arestored in a MySQL database
3. Customer complaints are handled via email
4. Employee records are processed via a dedicated HR information system (HRMS)
5. At the network level, the company is still using older routers
6. The company has a firewall installed
7. Each employee is issued a laptop
8. Employees can access the company's information systems via their personal mobile phones

Problem

The organization has not conducted a thorough risk identification and assessment process and is concerned about the potential security risks that its information assets may be exposed to.

Solution

You have been tasked with conducting a risk identification and assessment process for the organization's information assets.

Requirements Analysis

Analyze the scenario above and perform the following tasks:

1. Identify the assets, their type, their data classification, and their potential impact on the company.
2. Create an Asset Inventory Worksheet using the following format:

Asset Name	Asset Type	Data Classification	Impact
Asset 1	Information	Confidential	Legal liability

3. Assign a value for the impact from 0-100, or alternatively, use a WFA to calculate impact as a weighted score (0-100)

Asset Name	Asset Type	Data Classification	Impact
Asset 1	Information	Confidential	Legal liability (50)

4. Identify potential threats and vulnerabilities for each asset using the format shown below. Note that this task requires some research

Asset Name	Threats	Vulnerabilities
Asset 1	SQL injection attack	Unpatched software or weak input validation in the application code

5. Deterrmine the likelihood of a successful breach for each vulnerability. Note that an asset may have multiple threats and vulnerabilities; you will need a row for each vulnerability)

Asset Name	Threats	Vulnerabilities	Likelihood
Asset 1	T1: SQL injection attack	V1: Unpatched software or weak input validation in the application code	50%
Asset 1	T1: ...	V2: ...	25%

6. Calculate the risks using the following format:

Asset Name	Vulnerabilities	Likelihood	Impact	Risk
Asset 1	V1	50%	50	25
Asset 1	V2	25%	50	12.5

7. Rank the calculated risks and prioritize accordingly
8. Propose a risk control strategy for each vulnerability you reported. Note that this requires research.