Risk Concepts From The CISSP (Part 2)
Applying Risk and Risk Management Practices In Your Organization
Introduction
In our previous article, Risk Concepts From The CISSP (Part 1), we discussed risk and risk terminology from the lens of the (ISC)² Official Study Guide. Whether or not you are pursuing this particular certification, these concepts have real-world significance since cybersecurity is a business risk, and finding ways to create an open dialog around risk, understanding an organization's appetite for it, and working to mitigate risk to that appetite is essential in building a cybersecurity program. As we noted, risk concepts may seem simple, but finding meaningful answers to common questions takes diligence.
We also noted that assessment is one of two primary risk management components and relates to the identification and estimation of the likelihood of a bad thing happening to an asset. In part 2, we look further at assessment methodologies and how to quantitatively evaluate risk elements.
An Appetite for Risk
Risk management involves identifying and assigning values to organizational assets, identifying risk factors that might threaten, damage, or disclose assets, and determining the cost of implementing countermeasures to mitigate associated risk factors. The primary goal of risk management is to reduce risk and match the organization's risk appetite.
Risk appetite refers to the amount and type of risk that an organization is willing to accept in pursuit of its objectives. It’s a reflection of the organization's risk tolerance, which is influenced by factors such as strategic goals, competitive environment, regulatory requirements, and stakeholder expectations.
Established by the board or senior management, risk appetite is typically communicated throughout the organization. It serves as a guide for decision-making, resource allocation, and risk management practices. By clearly defining risk appetite, an organization can effectively manage risks, exploit opportunities, and achieve its strategic objectives while maintaining an acceptable level of risk exposure.
Risk Assessment
A risk assessment brings together all the elements of risk management, including an examination of an organization's environment for risks, evaluating each threat’s likelihood of occurrence, estimating the severity of damage that a threat might cause if it occurred, and assessing the cost of countermeasures for each risk. An assessment helps drive our understanding of risk by identifying assets and their associated potential threats and ranking them by criticality.
One of the first steps in a risk assessment is placing a value on organizational assets. Identifying assets and determining their value is key to understanding potential risks, threats, and countermeasures. The worth of an organization's assets can be assessed both quantitatively, in terms of intrinsic value or cost, and qualitatively, by considering their relative significance.
It's essential to keep asset valuations aligned relative to each other and as realistic as possible since countermeasures and safeguards will be chosen based on those valuations. No evaluation is perfect, of course, but we are trying to avoid the knock-on effect of inaccurate asset assessments leading to cost-ineffective or mismatched controls. Effective asset estimations also support cost-benefit analysis, insurance reporting, budgeting, and helping to demonstrate due care.
Consider asset valuations that include both tangible and intangible elements, such as:
What are the costs associated with purchasing, licensing, developing, and supporting or maintaining an asset?
What is the value to owners, users, or competitors, including intangibles like the potential cost of re-creating an asset (replacement cost), the negative value of lost information or reputation, or the estimated value of the intellectual property (IP)?
Threat Assessment
Once you've traversed the asset valuation landscape, we need to think about threats to those assets. Threat assessment is a process of examining and evaluating cyber threat sources against potential system vulnerabilities. The objective is to identify those threats endangering a system in a specific environment. The basic steps to complete the threat assessment include:
1. What events could realistically occur? Define the actual threat, and note that they generally fall into one of two categories:
Natural: like earthquakes, floods, hurricanes, fire, etc. or
Man-made: for instance, integrity violations such as unauthorized threat actors modifying systems and data or authorized users making unauthorized modifications. Other examples may include issues of confidentiality, such as data exfiltration, system breach, and availability problems, like denial of services or theft.
2. Estimate the potential impact of an event. Identify possible consequences if the threat is realized. Essentially we are creating an asset/threat pairing, answering questions like:
Could the threat cause physical damage, and if so, what is the range of associated costs?
Could the threat cause a loss of productivity?
What is the lost value if confidential information were disclosed, and what is the potential cost of recovering from a breach or ransomware event?
What is the lost value if critical devices fail or otherwise become unavailable?
What is the SLE for each asset and threat (see below)?
3. How often could an event occur?
4. How confident are we in our answers to the first three questions? In other words, we need to assess the probability that a threat will materialize.
Once we have an inventory of assets and threats, the next step is to evaluate each asset/threat pairing and calculate its associated risk. We previously noted that there are two primary risk-assessment methodologies: quantitative and qualitative. Quantitative risk analysis focuses on assigning a tangible monetary number to the loss of an asset based on value and probability calculations. Qualitative analysis assigns subjective and intangible values to potential asset losses and takes into account perspectives, intuition, and preferences. Qualitative analysis often uses scenarios, or a written description of a threat, to delineate threats on a relative scale and help evaluate risks, costs, and effects. Most organizations use a combination of both methodologies to obtain a balanced view.
Quantitative Risk Analysis
A quantitive analysis helps provide specific numbers to various potential risks, losses, costs of countermeasures, and value of safeguards. We start by determining an annualized loss expectancy as follows:
For each asset-threat pairing, calculate the exposure factor (EF), which represents the percentage of loss an organization would experience if a specific asset were affected by that risk. The EF is likely small for assets that are easily replaceable (think hardware) and much larger for proprietary or irreplaceable assets (think trade secrets or confidential information). EF is expressed as a percentage.
Now calculate the single loss expectancy (SLE) for each asset. The SLE is the potential loss if a specific threat against the asset is realized. SLE = asset value (AV) multiplied by EF, usually expressed as a monetary figure.
We next need to determine how likely the threat is going to happen in a single year, known as the annual rate of occurrence (ARO). ARO is expressed as a probability value and can be determined using historical or professional risk data or statistical software. ARO is expressed as a percentage.
Once we have the SLE and ARO, we can calculate the annualized loss expectancy (ALE), or the yearly potential loss of a specific realized threat against the asset. ALE = SLE multiplied by ARO (ALE=SLE x ARO or ALE=AV x EF x ARO). As a simple example, if the SLE of an asset is $100,000 and the ARO for a threat is 50% (.5), the ALE would be $50,000.
Conclusion
The primary goal of risk management is to reduce risk and bring it into alignment with the organization's risk appetite. A threat assessment is a process of examining and evaluating cyber threat sources with potential system vulnerabilities. A risk assessment helps drive our understanding of risk by identifying assets and their associated potential threats and ranking them by criticality. We identified quantitive analytic tools to help us provide specific numbers for various potential risks, losses, and costs.
In future posts, we'll look into responses to risk, including evaluating the cost/benefit, category, and types of controls, and discuss risk frameworks.