Understanding Risk Analysis and Management
It is important that the information-security profession speak the essential language of business when communicating the risks and the ROI of risk-management measures to management. The profession also must ensure that its audience understands what information-security and audit professionals are saying. By using a consistent language to convey risk, it becomes possible to establish effective channels of communication among information-security practitioners, auditors, business managers, and governance officials.
To continue our previous discussion on understanding and agreeing on the basic concepts...
Q: What is "Risk Analysis"?ISO/IEC Guide 73:2002, defines risk analysis as: "systematic use of information to identify sources and to estimate the risk".
Risk Analysis is the process of examining a system and its operational context to determine possible exposures and the possible harm they can cause.
- A study of risk that a business or system is subject to.
- A process to determine exposure and potential loss.
Risk Analysis can also be described as "The process of gathering and analyzing risk-related information in the preparation of a risk assessment."
The FERMA Risk Management Standard, (pp. 6-9.) specifies that Risk analysis include the following:
Risk identification - this sets out to identify an organisation’s exposure to uncertainty.
This needs to cover the organisation itself, its market and the environment in which it operates.
Risk description - display(ing) the identified risks in a structured format.
Risk estimation monitoring - covering both opportunities and threats in a structured manner.
This can involve quantitative, semi-quantitative and qualitative approaches.
Risk analysis methods and techniques - the Standard offers a range of techniques, covering both ‘upside’ and ‘downside’ risks.
Risk profile: This assigns a significance to each risk and provides a tool for prioritising risk assessment effort.
Q: What are the two risk analysis technique options?"Quantitative analysis" and "Qualitative analysis".
In short,
- Qualitative relates to that which is characteristic of something and which makes it what it is.
- Quantitative relates to, concerning, or based on the amount or number of something, capable of being measured or expressed in numerical terms.
Q: What is "Quantitative Risk Analysis"? This approach employs two fundamental elements;
- the probability of an event occurring and
- the likely loss should it occur.
Quantitative risk analysis makes use of a single figure produced from these elements. This is called the 'Annual Loss Expectancy (ALE)' or the 'Estimated Annual Cost (EAC)'. This is calculated for an event by simply multiplying the potential loss by the probability. It is thus theoretically possible to rank events in order of risk (ALE) and to make decisions based upon this.
The problems with this type of risk analysis are usually associated with the unreliability and inaccuracy of the data. Probability can rarely be precise and can, in some cases, promote complacency
Q: What is "Qualitative Risk Analysis"?This is by far the most widely used approach to risk analysis. Probability data is not required and only estimated potential loss is used.
Most qualitative risk analysis methodologies make use of a number of interrelated elements:
ThreatsThese are things that can go wrong or that can 'attack' the system. Examples might include fire or fraud. Threats are ever present for every system.
VulnerabilitiesThese make a system more prone to attack by a threat or make an attack more likely to have some success or impact. For example, for fire a vulnerability would be the presence of inflammable materials (e.g. paper).
ControlsThese are the countermeasures for vulnerabilities. There are four types:
- Deterrent controls reduce the likelihood of a deliberate attack
- Preventative controls protect vulnerabilities and make an attack unsuccessful or reduce its impact
- Corrective controls reduce the effect of an attack
- Detective controls discover attacks and trigger preventative or corrective controls.
Q: What is "Risk Evaluation"?ISO/IEC Guide 73:2002, defines risk evaluation as: "t
he process of comparing the estimated risk against given risk criteria to determine the significance of the risk" and "
judgement, on the basis of risk analysis, of whether the risk reduction objectives have been achieved"
The FERMA Risk Management Standard describes Risk evaluation as
"
comparing the estimated risks against the risk criteria that the organisation has established. Risk criteria may include associated costs and benefits, legal requirements, socio-economic and environmental factors […]"
Q: What is "Risk Assessment"?ISO/IEC Guide 73:2002, defines risk assessment as: "
the overall process of risk analysis and risk evaluation"
Risk assessment is a detailed articulation of the risks associated with the information assets and supporting IT&C resources at risk, threats that could adversely impact those assets, and vulnerabilities that could allow those threats to occur with greater frequency or impact. See: risk analysis.
The Institute of Internal Auditors (IIA) Standards define risk assessment as "a systematic process for assessing and integrating professional judgments about probable adverse conditions and/or events. The risk assessment process should provide a means of organizing and integrating professional judgments for development of the audit work schedule."
Q: What are three different "Risk Assessment" approaches?According to the ISO 13335-2 standard, the three risk assessment approaches are:
- high-level risk assessment,
- detailed risk assessment, and
- iterative process
High-level Assessment ProcessThe high-level assessment serves to scope the task and to identify threats, vulnerabilities and risks with information that is immediately available. From this, it should be possible to identify the appropriate controls to treat the risks. The first decision point occurs following the high-level assessment.
At this decision point, if sufficient information has been available for a satisfactory assessment, then risks can be treated, and the assessment process considered to be completed.
Detailed Risk Assessment Process
If, however, insufficient information has been available, for any of the context, threat, and vulnerabilities, then at this first decision point, it should be decided to begin again and conduct a detailed risk assessment. For this detailed risk assessment, additional information will need to be gathered, to expand the scope, to establish a more definitive context, considering for example external influences and constraints, and to research applicable threats and vulnerabilities.
Iterative Risk Assessment Process
The risk treatment process can be also iterative (repetition and recurrence).
Depending on the outcome of the risk treatment, it might be necessary to go back to the starting point and refining the context, or repeat risk treatment process.
Risk treatment process is considered as complete when all unaccepted risks are addressed.
In summary, the iterative risk management process:
- carries out an initial high-level risk assessment to identify the most valuable and critical information, processes and systems and the risks to which they are exposed;
- treats risks with baseline controls for processes and systems that are either at low risk or of low value or criticality;
- after the initial high-level assessment, determines what additional information could be needed to assess risks, especially for information and systems considered to be high risk or high value or criticality;
- conducts a detailed risk assessment for these systems;
- continues the iterative process until acceptable risk management decisions have been made for all information processes and systems.
Q: What is the difference between initial and continous 'risk identification'?
The identification of risk can be separated into two distinct phases. There is:
- initial risk identification
for an organisation which has not previously identified its risks in a structured way, or for a new organisation, or perhaps for a new project or activity within an organisation, and there is;
- continuous risk identification
which is necessary to identify new risks which did not previously arise, changes in existing risks, or risks which did exist ceasing to be relevant to the organisation (this should be a routine element of the conduct of business).
Q: What is "Residual Risk"?
Risk that remains after safeguards have been implemented. (Risk that remains to an information asset even after an existing control has been applied.)
Equation:
(threats x vulnerability x asset value) x control gap = residual risk
To express it another way, (Trygstad, 2005) “Residual Risk is a combined function of
(1) a threat less the effect of some threat reducing safeguards;
(2) a vulnerability less the effect of some vulnerability reducing safeguards and
(3) an asset less the effect of some asset value reducing safeguards.”
No control can ever offer absolute assurance, there will always be a residual risk.
Q: What is "Total Risk"?
Total risk - when a company chooses not to implement any type of safeguard. Reasoning for this would be because of the cost/benefit analysis results.
Threats x vulnerability x asset value = total risk
Q: What is "Inherent Risk"?
Care should also be taken to capture information about the inherent risk. If this is not done the organisation will not know what its exposure will be if control should fail. Knowledge about the inherent risk also allows better consideration of whether there is over-control in place - if the inherent risk is within the risk appetite, resources may not need to be expended on controlling that risk.
Q: What is “Risk Appetite”?
Risk appetite is the degree of risk, on a broad-based level, that a company or other entity is willing to accept in pursuit of its goals. Management considers the entity’s risk appetite first in evaluating strategic alternatives, then in setting objectives aligned with the selected strategy and in developing mechanisms to manage the related risks.
When considering vulnrabilities and threats, the concept of risk appetite embraces the level of exposure which is considered tolerable and justifiable should it be realised. In this sense it is about comparing the cost (financial or otherwise) of constraining the risk with the cost of the exposure should the exposure become a reality and finding an acceptable balance.
Risk appetite has three key elements, (CAREY, 2005)
which I often develop and use in a tabular format: 1. Impact -helps the user to identify and measure the potential consequences of a risk/event to the organization.
2. Likelihood -measures the probability that the risk/event will come to fruition and will actually result in a loss.
3. Risk Response Table -a scorecard that directs mitigating action based on the overall risk level the organization faces for each risk/event.
Various types of impacts should be identified so that your full range of risk events can be assessed on a level playing field against each other. Each risk level should have a corresponding response, commensurate to the existing risk exposure. The responses can include escalation pathways and levels, timeframes, other parties that must be informed, etc. The risk appetite approach and response approach must be communicated throughout the organization.
Q: What is the difference between "Risk Appetite" and "Risk Tolerance"?
Both risk appetite and risk tolerance set boundaries of how much risk an entity is prepared to accept. Risk appetite is a higher level statement that considers broadly the levels of risks that management deems acceptable while risk tolerances are more narrow and set the acceptable level of variation around objectives.
For instance, a company that says that it is does not accept risks that could result in a significant loss of its revenue base is expressing appetite. When the same company says that it does not wish to accept risks that would cause revenue from its top-10 customers to decline by more than 10% it is expressing tolerance. Operating within risk tolerances provides management greater assurance that the company remains within its risk appetite, which, in turn, provides a higher degree of comfort that the company will achieve its objectives. (IIA, n.d.)
The IEC definition for tolerable risk is:
"risk which is accepted in a given context based on the current values of society"
Tolerable risk is the result of a balance between the ideal of absolute safety, the demands to be met by a product, process or service, and factors such as benefit to the user, suitability of purpose, cost effectiveness, risk evaluation, conventions of the society concerned, and the state of the art.
Refer: http://std.iec.ch/terms/terms.nsf/0/9845B4A982C8E8DAC1256F5F004BC1A2?OpenDocument
Q: What is "Operational Risk"?
Operational risk is defined as the risk of loss resulting from inadequate or failed processes, people, and systems or from external events. The definition includes legal risk, which is the risk of loss resulting from failure to comply with laws as well as prudent ethical standards and contractual obligations. It also includes exposure to litigation from all aspects of an institutions activities.
Traditionally, operational risk can be associated with the following:
- People: losses associated with intentional violation of internal policies by current or past employees.
- Process: losses that have been incurred due to a deficiency in an existing procedure, or the absence of a procedure. Losses can result from human error or unintentional failure to follow an existing procedure.
- Systems: losses that are caused by unintentional breakdowns in existing systems or technology.
- External: losses occurring as a result of natural or man-made forces, or the direct result of a third party's action.
Q: What is "Risk Mitigation Analysis"?
Risk Mitigation Analysis is the process of identifying safeguards or controls that suitably prevent threat events, detect threat events for subsequent corrective action, or contain the loss that may arise from threat events. Risk mitigation analysis also includes applicable cost/benefit and ROI analysis. For example, is the annualized safeguard or control cost less than the annualized expected risk loss, and is the resulting ROI acceptable?
By quantifying the risk, we can justify the benefit of spending money to implement controls;: RISK = LOSS ($) x PROBABILITY.
Q: What is "Risk Audit"?
Risk Audit is an audit that provide an independent assessment of the risk management practices of a company, and verifies that the company has appropriate risk management controls, and that it adheres to these to controls and mitigates risk in compliance with approved policies and procedures.
Q: What is the criteria used when evaluating risk?
Risks of an organization are evaluated by three distinguishing characteristics:
- A loss associated with an event, e.g., disclosure of confidential data, lost time, lost revenues.
- The likelihood that the event will occur, i.e.probability of occurrence of event
- The degree to which the risk outcome can be influenced, i.e. controls that will influence the event.
Q: What is "Risk Response" ? (also referred to as "risk reduction strategies")
Risk response fall within the categories of risk avoidance, reduction, sharing, and acceptance.
Avoidance responses take action to exit the activities that give rise to the risks.
Reduction responses reduce the risk likelihood, impact, or both.
Sharing responses (also sometimes referred to as "Transferring the risk"), reduces risk likelihood or impact by transferring or otherwise sharing a portion of the risk - allocating the risk to other systems, people, organizations assets or by buying insurance.
Acceptance responses take no action to affect likelihood or impact, but attempts to control it with available resources.
As part of enterprise risk management, for each significant risk an entity considers potential responses from a range of response categories. This gives sufficient depth to response selection and also challenges the “status quo.”
Q: What is "Risk Exposure"?
The extent of potential damage is defined as "risk exposure" or "asset exposure". The Business Owner is responsible for both identifying assets and estimating potential loss to asset or the organization. As a review, the asset class, exposure, and the combination of threat and vulnerability define the overall impact to the organization. The impact is then combined with probability to complete the "risk statement"; Risk-impact x Risk-probability = Risk-exposure.
Quantifying the effects of a risk by multiplying the risk impact by the risk probability yields risk exposure.
i.e. Risk-exposure = Risk-impact x Risk-probability
e.g., if the likelihood of virus attack is 0.3 and the cost to clean up the affected systems and files is $10,000, then the risk exposure is $3,000.
$3,000 = $10,000 x 0.3
Example 1 : A Hard Disk Failure on your PC.
Hard Disks fail about every three years.
So, the Likelihood/Probability is 1/3 per year .
The hardware cost is $300 to buy a new disk .
But also, add 10 hours of effort to reload the OS, software, and restore from the last backup.
And 4 more hours to recreate things since the backup.
Assume $10.00 per hour for your effort
Total loss = $300 + 10 x (10 + 4) = $440
Annual loss expectancy: (440 x 1/3) $pa = $147 pa
Example 2: A virus attack on the same system
You frequently swap files with other people, but have no ant-viral software running.
Assume an attack every 6 months
That’s a Probability of 2 per annum
No need to buy a new disk
Rebuild effort (10 + 4) hours,
Total loss = 10 x(10+4) = $140
ALE = ( 140 x 2 ) $pa = $280 pa
Q: What is a "Risk Baseline"?
Baselining is the analysis of measures against established standards. A baseline approach to risk treatment requires the establishment of a minimum set of controls to safeguard all or some of the agency’s information against the most common threats.
In information security, baselining is the comparison of security activities and events against the organization’s future performance. These baseline controls are compared with existing or planned safeguards for the context being considered. Those that are not in place, and are applicable, should be implemented. An early step in the baseline approach may be a gap analysis of existing controls against a baseline.
When baselining it is useful to have a guide to the overall process. The risk in the baseline approach is that there may be unidentified assets, ‘non-standard’ threats or vulnerabilities that is missed by gap analysis and/or baseline controls. Lack of an Information Security Policy exacerbates this risk.
Q: What is a "Risk analyst"?
Risk analyst: an individual whose primary task is the identification and evaluation of risks during the risk review.
Q: What is a "Risk custodian"?
Risk custodian: an individual who has responsibility for monitoring, controlling and minimising the project’s residual risks.
Q: What is a "Risk assessment table"?
Risk assessment tables: tables that may be used to allocate ‘scores’ to risks, to help in prioritising them.
That's it for today, folks! I have covered quite a bit of risk terms and concepts.
Regards,
Ciske
References:
IIA - Institute of Internal Auditors (IIA) the international professional association - Online: http://www.theiia.org/?doc_id=4883
CAREY, M (2005) DelCreo, Inc. - Enterprise Risk Management: How To Jumpstart Your Implementation Efforts
Online: http://www.irmi.com/Expert/Articles/2005/Carey02.aspx#1
TRYGSTAD, R. (2005) , Risk Management I and II, Illionois Institute of Technology, ITM 578. Online: www.itm.iit.edu/578/lesson4/lesson04.ppt
