Information security risk management, or ISRM, is the process of managing risks associated with the use of information technology. It involves identifying, assessing, and treating risks to the confidentiality, integrity, and availability of an organization's assets.
What is an Information Security Risk and/or Cyber Risk?
Risk is the possibility of loss (potential loss) or the effect of uncertainty on objectives (results to be achieved).
In the context of cybersecurity, the risk is a potential for loss, damage or destruction of an asset as a result of a threat exploiting a vulnerability.
Asset:An asset is what we’re trying to protect. People, property, and information. People may include employees and customers etc. Property assets consist of both tangible and intangible items that have value to the organization. Intangible assets include reputation, Brand Value etc. Information may include databases, software code, critical company records, trade secrets, and many other intangible items.
Threats: A threat is something from which we’re trying to protect an asset. A potential cause of unwanted incidents, which may harm to a system or organization. In the more simplified form “Anything which can leverage a vulnerability (intentionally or accidentally) to acquire, damage, or destroy an asset.” Such as DDoS Attack, Unpatched Systems, Virus/Malware etc.
Vulnerability: Weakness of an asset or control that can be exploited/leveraged by threats to cause risk to an asset. Such DDoS weakness in software code, Absence security updates on system, absence Anti-virus/malware software on the system etc.
Before we move forward to understand IT Risk Management, it is important to know more couple of definitions:
Likelihood (Probability or Frequency) of occurrence: Likelihood in the context of Information Security Risk assessment and management is the chance that the threat will exploit/leverage the vulnerability to cause an impact. Likelihood can be determined or measured objectively or subjectively.
Objective measurement example: Times per Year or Quarter or Month
Subjective measurement example: High, Medium, Low
Impact (Consequences): Impact is the ‘outcome/results’ of an event (or incident) in which threats successfully exploited the vulnerability in the asset.
Standard IT Risk Management Process
Information Security risk management is the application of the principles of risk management to an information security environment in order to manage the risks associated with this field. Risk management is a systematic process for identifying, analyzing, evaluating, performing risk treatment and monitoring risks to the business of an organization. Information security Risk treatment can be performed by remediating a risk, transferring risk to another party, avoiding the risk altogether, or assuming the risk with its potential consequences (accepting a risk).
As a result of risk management process an organization able to decide the controls which mitigate a risk, avoid a risk, prevent risk occurrence, reduce the magnitude of consequences (impact) of risk, transfer it to another party, or assume a risk along with its potential consequences.
It depends upon risk management framework used by an organization for managing risk, however at the high-level following, step by step approach followed by most of IT risk management framework:
Risk framing: How organization intend to assess the risks, respond and monitor risks. Identified specific assessment methodology to be employed, procedures for selecting risk factors to be consider, the scope of the assessment, the rigor of analysis, degree of formality, and other.
Prepare for a Risk Assessment:
Establish a context for Risk Assessment by results of Risk framing process which defines how an organization intend to assess the risks, respond and monitor risks. Identified specific assessment methodology to be employed, procedures for selecting risk factors to be considered, the scope of the assessment, the rigor of analysis, degree of formality, and other.
A risk assessment can be performed for Legal, Regulatory, Business Continuity, Financial, Information and/or cyber security etc. Identifying the exact purpose of risk assessment is important before starting any risk assessment. Here for an example, we take information security risk assessments which also include variety sub-function like data risks, Cyber risk, technical risks, functional risk etc. Hence, identification and articulation of the purpose of a risk assessment need to perform first for starting a risk assessment.
Once the purpose of risk assessment is finalized it is important to have clear understanding boundaries scope under which risk assessment need to perform. For example, if the purpose of risk assessment to assess cyber risks than it is important defined what all assets and processes are in the scope of risk assessment.
The next step towards performing risk assessment is to identify the most suitable and feasible risk assessment approach and methodology (A&M) which enable to achieve objectives of risk assessment.
The A&M for risk assessment typically includes identification of valid inputs for Risk Assessment, Risk Models, Analytical Approaches, consideration of assumption and expected constraints etc.
Conduct Risk Assessment:
In the phase activities pertaining to the execution of risk assessment performed by assessors, which include but not limited to below tasks:
Analyze and identify all threat sources that relevant as per scope and purpose of risk assessment and relevant to the organization.
Analyze and identify threat events (an event which could be produced by a threat) which could be produced by threats.
Analyze and identify vulnerabilities within assets and processes of the organization, which could be exploited by threat sources, assets and process will be selected in line with the purpose and scope of risk assessment.
Prepare analytical models on how a threat events can exploit vulnerability including every possible condition, up to extent practicable.
Determine how much threat sources are motivated to produce threat events and their likelihood.
Determine the likelihood that a threat event will successfully exploit the vulnerability and cause an adverse impact on the organization.
Determine the magnitude of adverse impact on the organization’s assets, operations, processes, personnel, other associated organizations, and Nation resulting from the exploitation of a vulnerability by threat sources by specific threat event.
Determine the risks as a combination of the likelihood of threat exploitation of a vulnerability and the impact of exploitation, including any uncertainties with respect to risk determination.
The third phase of this process is to communicate the assessment results and share risk-related information to organization stakeholder and authorized interested parties. The objective is to ensure that decision-makers in the organization have appropriate risk-related information with them to take inform and guided decision for risk management.
Identify and analyze an effective communication plan for executive management, organization stakeholders, and authorized interested parties.
In normal case organization and its IT environment are quite dynamic, hence risk assessment results may stale if timely communication to the decision makers is not done. Other side buying time of organization leadership and decision maker is not easy and may incur a delay in communication. Hence, proper planning for communicating results, require good project management and adherence with timelines.
Also, effectively communicating and presenting risk assessment results to organization stakeholders, and authorized interested parties is important so there is no ambiguity in the interpretation over results between stakeholder.
The objective of this step to keep the specific knowledge of risk which organization may incur in the current. The results of Risk Assessment (RA) inform risk management decisions and guide risk responses. To secure ongoing activities in the organization and support ongoing review of risk management decisions, an organization must maintain assessment to incorporate changes detected through risk monitoring. Maintaining risk assessment includes:
Monitoring risk factors identified in risk assessment on an ongoing basis and track & understand subsequent changes to those factors.
Update the components of risk assessments reflecting the monitoring activities carried out by organizations.
Type of Risk Assessment:
The organization have options to carry out a risk assessment in one of two ways, either a Qualitative or Quantitative Risk Assessment. Readers will find out numerous results comparing and saying which is better and how on the web. Though in our opinion comparing both and evaluating that which is better to use is Apple vs Orange comparison as different organizations have different sort of needs. Also, there are multiple risks for which efficiently quantifying values is not possible such Brand Value, Reputation etc. Let quickly go through what this Qualitative or Quantitative Risk Assessments are before making a conclusion.
Qualitative Risk Assessment:
Qualitative risk assessment produces valid results that descriptive. A qualitative risk analysis prioritizes the identified risks using a pre-defined rating scale. Risks will be scored based on their likelihood of occurring and the impact on objectives. In qualitative risk assessment, the focus is on user’s (Asset or Process Owner) experience and perceptions about the probability of a risk occurring and its impact on relevant organizational. This perception is represented in scales such as “low – medium – high” or “1 – 2 – 3,” or other values, which are used to define risk’s final value.
Example Risk assessment table for Qualitative Risk Assessment:
Quantitative Risk Assessment:
On the other hand, Quantitative Risk assessment are numeric in nature, analysis parameters such as Likelihood, Potential adverse impact, control effectiveness, and other aspects of risk assessment have discrete mathematical value. Quantitative risk assessment focuses on factual and measurable data, and highly mathematical and computational bases, normally expressing risk values in monetary terms, which makes its results useful outside the context of the assessment (loss of money is understandable by everyone).
To reach a monetary result, quantitative risk assessment often makes use of these concepts:
Single Loss Expectancy(SLE): SLE is estimated loss and it’s simply money expected to be lost if threat event successfully exploited a vulnerability in an asset once. It may be referred also as the difference between the original value and remaining value of an asset after a single exploit.
SLE=Asset Value (in $) x Exposure Factor
Annualized Rate of Occurrence(ARO): ARO is an estimate of how often a threat will be successful in exploiting a vulnerability over the period of a year. An organization may tweak this parameter as per its requirement may be adjusted to calculate Quarterly Rate or Half yearly Rate as required.
Annualized Loss Expectancy(ALE): ALE is the product of the yearly estimate for the exploit and loss in value of an asset after an SLE. Simply its estimate of loss in one year considering SLE and ARO (ALE = SLE * ARO).
For quantitative risk assessment, this is the risk value. By this value, it is possible for an organization to estimate what should be spent on countermeasures (controls). Kindly remember always “A cost of information and/or cybersecurity countermeasure (control) can’t be greater than the value being protected”
Qualitative and Quantitative assessments have specific characteristics that make each one better for a specific purpose and scope, that is the reason we called comparing both as Apple vs Orange comparison in the introduction section. Below are some facts about these assessments:
Qualitative risk assessment is suitable but not limited to below some scenarios:
The organization may not afford to invest in efficient Quantitative risk assessment.
The risk assessors available for the organization have limited knowledge and expertise in Quantitative Risk Assessment.
The time frame to complete the risk assessment is short or risk needs to address the earliest.
The Organization don’t enough comprehensive data to commence a Quantitative Risk Assessment.
The organization believes that risk assessors and user’s (Asset or Process Owner) available for assessment are long term employees and have significant experience with the business and critical system.
Quantitative risk assessment is suitable but not limited to below some scenarios:
The organization have enough financial strength to invest in an efficient Quantitative risk assessment.
The risk assessors available for the organization have knowledge and expertise in Quantitative Risk Assessment and relevant data, information and statics are available to carry out the assessment process correctly.
The organization have enough time and resources to complete the Quantitative risk assessment process and results will not obsolete till countermeasures selection and implementation.
Combining Qualitative and Quantitative Risk Assessment
Combining both approaches can prove to be the best alternative. By using the qualitative approach organization can quickly identify most of the risks to normal conditions. After that, the Organization may select for what all risks they willing to perform Quantitative Risk Assessment. For example, an organization may elect to commence a Quantitative Risk Assessment for all High and Critical rated risks. At last, it depends on executive management that how much they willing to pay for a risk assessment and the rigor of analysis and degree of formality they want to have to take risk related decisions.
Analogical example for easy understanding of this scenario is that when we visit to doctor. The doctor first asks a few simple questions, and from patient answers, he decides which more detailed exams to perform, instead of trying every exam he knows at the beginning.
Information Technology Risk Assessment Frameworks:
ISO 27005:2018: Information technology — Security techniques — Information security risk management.
The Risk IT Framework – ISACA
NIST Special Publication 800-30: Guide for Conducting Risk Assessments of federal information systems and organizations.
NIST Special Publication 800-37: Risk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy
NIST Special Publication 800-39: Managing Information Security Risk – Organization, Mission, and Information System View