Risk Concepts From The CISSP (Part 1)
Applying Risk and Risk Management Concepts In Your Organization
Introduction
Looking back, I was pretty naive at the beginning of my journey to understand risk and apply that seed of understanding to a business' risk set. Risk seems like a simple concept: what are we worried could go wrong, and how should we address these worries? As I've continued my education gained through hard-knock real-world experience, I realize that risk and risk management is a deceptively complex topic.
If someone from the C-suite asked you some variation of "are we safe from cyber-attacks?" how would you answer? Although a glib answer like "security is a journey" or "it depends" may be technically correct, it’s not very satisfying. If the follow-up question is "what would it take from a process, tooling, and spend perspective to make us safer?" how would your answer change? This is why the CISSP covers risk and risk management in detail. The questions may be simple, but the answers are complex. How you communicate these concepts to an organization can make a difference in the success of your risk management program and, ultimately, your organization’s safety.
Concepts of Risk and Risk Management
The concept of risk and the management of risk in the context of cybersecurity is important both in business and in pursuit of CISSP domain knowledge. Risk is a proposition that ties together the likelihood of a threat source exploiting a vulnerability with the corresponding impact on a business. It connects the vulnerability, threat, likelihood of exploitation, and resulting business impact into one unified idea.
Let's break these concepts down a little further. In simpler terms, a risk is the possibility of a threat exploiting a weakness in a system or asset and the potential consequences that could result. A vulnerability is a flaw or weakness in a system that can be exploited. A threat is a potential risk that can arise from a vulnerability; a threat agent is someone or something that attempts to exploit the weakness for their gain. Note that threats and vulnerabilities are related because a credible threat is possible only when a vulnerability is present. Threats exploit vulnerabilities, which results in exposure. Exposure is risk, and risk is mitigated by safeguards. Safeguards protect assets that are endangered by threats. An asset is a resource, process, product or system that has value to the organization.
Risk management refers to the process of identifying, assessing, and prioritizing potential risks that could impact an organization's ability to achieve its mission. Essentially, managing risk involves taking proactive steps to reduce the potential of negative consequences to an acceptable level, and implementing mechanisms to maintain that level. The overall process of risk management is used to develop and implement information security strategies that support the mission of the organization. While the security community believes in zero trust, there is no such thing as zero risk. Risk is part of life and an active component in managing technology. We must prepare for potential threats and their outcomes.
Risk Management in the CISSP
The Certified Information Systems Security Professional (CISSP) is an information/cyber security certification developed by the International Information Systems Security Certification Consortium, also known as (ISC)². Risk management is covered in domain 1 of the CISSP body of knowledge. Beyond the fundamentals of security, the concepts of risk and risk management are perhaps the most important and complex part of the information security and risk management domain.
In general, security is important because it helps to ensure an organization continues to exist and operate despite attempts to steal data or compromise physical or logical assets. Security should be viewed as an element of business management rather than an IT-centric concern.
Risks can affect the security of many parts of a business, can never be eliminated, and any system, no matter how secure, can be compromised given a sustained level of persistence. We can predict some threats and therefore quantify some associated risks. Some threats, like natural disasters, are largely unpredictable. The goal of risk management and mitigation is understanding potential risks and reducing risk to an acceptable level to the organization. Risk tolerance is defined as the level of risk that is acceptable for any particular threat.
Risk management is composed of two primary components: the assessment of risk and the response to risk. Risk assessment helps an organization evaluate environmental threats. Risk response involves evaluating countermeasures, safeguards, and security controls using a cost/benefit analysis, with the outcome of providing a proposal to management of response options. The results of performing risk management in an organization for the first time is the skeleton of a security policy.
Risk Assessment
A risk assessment or analysis brings together all of the elements of risk management, including the identification of risk in your environment, evaluating threats, using risk-assessment methodologies to estimate the likelihood of occurrence, estimating the potential severity of damage an event would cause, and assessing the cost of countermeasures.
Employees usually find a risk assessment difficult to handle internally because of the potential scope in capturing, quantifying, and estimating an organization’s risk set and associated liability. Therefore, many organizations use risk management consultants to perform the work. Using outside resources provides a higher level of expertise that doesn't bog down employees and can be a more reliable measure of real-world risk.
There are two primary risk-assessment methodologies: quantitative and qualitative. Quantitative risk analysis assigns a real dollar figure to the loss of an asset based on value and probability calculations. Qualitative analysis assigns subjective and intangible values to potential asset losses and takes into account perspectives, intuition, and preferences.
Most organizations use a hybrid approach to risk assessment.
Conclusion
Risk and risk management are important concepts in business and understanding the security and risk management CISSP domain. Risk management can be complex, and it’s important to understand and clearly communicate risk and risk concepts to an organization to promote understanding and buy-in to a risk management program.
In future posts, we'll explore how to conduct a risk assessment and look further into assessment methodologies, risk response details, and risk management frameworks.