Introduction
Risk management is the process of implementing countermeasures to achieve an acceptable level of risk; at an acceptable cost. By examining (in-depth) the potential threats faced by an organization, a better understanding of business risk can be gained that will lead to identifying strategies, techniques, approaches, or countermeasures that reduce or mitigate impact. Generally, this can be achieved by asking three basic questions:
• What can go wrong?
• What will we do?
• If something happens, how will we pay for it?
Thinking about these questions in context of an organization, it might become clear that there are some areas where risk management could be applied, such as weaknesses in the software development lifecycle or manual processes that are prone to human error. Because potential damage or loss to an asset exists, the perceived level of risk is based on the value assigned by its owner and the consequential impact. Additionally, the probability and likelihood of a vulnerability to be exploited must also be taken into consideration. Therefore, as illustrated in Figure E.1, risk cannot exist without the intersection of three variables: assets, threats, and vulnerabilities.
Figure E.1 Risk management variables.
What Is a Risk assessment?
A risk assessment is simply a thorough examination of what can cause harm or impact so that an accurate decision of how to manage the risk can be made. Risk assessments do not require an over-engineered approach of new processes, methodologies, or loads of paperwork. There are several industry-recognized methodologies available to use during the analysis stage of the risk management program.
Depending on the type of business offered, there will likely be one risk management methodology that is preferred over others; while others may be mandated through regulations to use a particular methodology or a decision is made to develop one that meets their specific business needs. Generally, organizations have the option of conducting a risk assessment by following one of the following two approaches.
Qualitative Assessments
Qualitative assessments are focused on results that are descriptive as opposed to measurable; where there is no direct monetary value assigned to the assets and its importance is based on a hypothetical value. Organizations should typically look to conduct a qualitative assessment when the:
• Assessors have limited expertise;
• Time frame allocated for the assessment is short; or
• Data is not readily available to accommodate trending.
Analysis commonly performed in this type of assessment can include several layers of determining how assets are susceptible to risks. This includes
Figure E.2 Risk likelihood-severity heat map.
the correlation of both assets to threats and threats to vulnerabilities, as described further in Addendum F, “Threat Modeling,” as well as the determination of likelihood and the level of impact that an exploited vulnerability will create, illustrated in Figure E.2.
In a qualitative assessment, the output generated from the comparison of likelihood and the level of impact is the severity the risk has on assets. Generally, the higher the risk level the greater the priority for the organization to manage the risk and protect its assets from potential harm.
Quantitative Assessments
The primary characteristic of a quantitative assessment is its numerical nature. Use of variables like frequency, probability, impact, or other aspects of a risk assessment are not easily measured against mathematical properties like monetary value. Quantitative assessments allow organizations to determine whether the cost of a risk outweighs the cost of managing a risk based on mathematics instead of descriptive terms.
Organizations that have invested in gathering and preserving information, combined with the enhanced knowledge and experience of staff, are better equipped to conduct this type of assessment. For this reason, getting to the end of a job requires a larger investment in resource knowledge and experience, time, and effort.
Knowing that quantitative assessments follow a mathematical basis, organizations that decide to conduct this type of analysis should consider performing the following series of calculations.
Single Loss Expectancy (SLE)
The first calculation to be completed is the single loss expectancy (SLE). The SLE is the difference between the original and remaining monetary value of an asset that is expected after a single occurrence of a risk against an asset. The SLE is calculated as
where AV is the monetary value assigned to an asset, and EF is an average percentage representing the amount of loss to an asset.
For example, if the AV has been identified as $5,000 and the EF is 40%, then the SLE would be calculated as
Annual Rate of Occurrence (ARO)
Following the SLE, the next calculation to be completed is the annual rate of occurrence (ARO). The ARO is a representation of how often an identified threat will successfully exploit a vulnerability and generate some level of business impact within the period of a year. The ARO is calculated as
Annual rate of occurrence (ARO) = # Impact/Time period
For example, if trending data suggest that a specific threat is likely to generate business impact one time over a four-year period, then the ARO would be calculated as
Annual rate of occurrence (ARO) = 1/4 = 0.25
Annualized Loss Expectancy (ALE)
Having values for both SLE and ARO, the next calculation to be completed is the annualized loss expectancy (ALE). The ALE is the expected monetary loss of an asset that can be realized as a result of actual business impact over a one-year period. The ALE is calculated as
Annual loss expectancy (ALE) = SLE * ARO
For example, if the ARO is 0.25 and the SLE is 2,000, then the ALE would be calculated as
Annual loss expectancy (ALE) = 2,000 * 0.25 = 500
With the ALE completed, organizations can use the resulting value directly in a cost-benefit analysis as described in Addendum C, “Cost-Benefit Analysis.” For example, where a threat or risk has ALE of $500, then the cost-benefit analysis would identify that investing $5,000 per year on a countermeasure would not be beneficial.
Advantages and Disadvantages
Depending on the goals for performing an assessment, both the qualitative and quantitative approaches present benefits. Neither approach should be overlooked as a tool for performing risk assessment because each is unique in how it demonstrates risk to stakeholders.
With qualitative assessments, the approach is simpler because it does not require the in-depth analysis of numerical values through formulas and calculations. Generally, results are simpler for stakeholders to understand because the approach leverages business terms to communicate the level of risk involved. However, there is no escaping the fact that qualitative assessments are more subjective because they are based on the organization’s experience and judgment which makes it more difficult to defend. The ability to monitor the implementation of countermeasures using labels and terms is difficult because they cannot be measured.
On the other hand, a quantitative assessment is considered objective because it is not influenced by subjective experiences or judgment. It relies on predetermined formulas and calculations to arrive at a risk valuation decision based on numerical measurements. However, this approach requires organizations to have existing data, have more experience, and be willing to invest more time because it is based on factual numbers and predetermined formulas.
Methodologies, Tools, and Techniques
Organizations will select their risk assessment methodology, tools, and techniques based on what works best for their specific needs, capabilities, budget, and timelines.
Tools
Given the availability of industry resources, completing a risk assessment does not need to be an overly complicated process. Several tools are readily accessible to make the risk assessment tasks easier, including software, checklists, and templates.
Depending on volume, gathering and processing data can be demanding and require significant efforts. Organizations should look to invest in automated tools that can alleviate the time needed to complete these tasks. Regardless of whether the organization plans on purchasing or building tools, this decision should be based on aspects such as appropriate timelines, skill sets, and the need to follow a proper system development life cycle (SDLC).
As organizations perform more risk assessments, they will begin to identify patterns where there are similarities in tasks being completed, such as cataloging threat agents and threats. In these situations, the use of checklists may be beneficial to ensure that the risk assessment considers all relevant information even if it may not apply in each instance.
Reviewing existing policies and procedures for relevant security gaps can be a complex and time-consuming task. When used properly, templates can be effective in improving operational efficiencies and accuracy of the risk assessment results.
Methodologies and Techniques
Generally, all risk assessments follow a similar methodology consisting of techniques used to arrive at a final risk decision, including analyzing threats and vulnerabilities, asset valuation, and risk evaluation.
However, there is no single risk assessment methodology that meets the needs of every organization because they were not designed to be “one-size-fits-all.” Ultimately, each organization is unique in its own respect and has its own reasons for completing risk assessments. Therefore, a variety of industry-recognized risk assessment methodologies have been developed to address varying needs and requirements.
Contained in the Resources section of this chapter, a series of different risk assessment methodologies have been provided as references. It is important to note that inclusion of a methodology in this chapter does not suggest that these are better or recommended over other models that were not included.
Risk Lifecycle Workflow
An assessment of risk at any given time will naturally evolve over time and the exposure to the organization will increase or decrease accordingly. Supporting constant changes in business risk requires that the risk management process is performed regularly, not as a one-time exercise.
Effectively managing risk should be shared between multiple stakeholders because the responsibility and accountability of doing so cannot generally be placed on a single party. For example, while information security is responsible for providing guidance and oversight, accountability for implementing recommendations is with the business line that owns the risk.
Several well-established risk management frameworks are available. While slight differences exist in terminology and stages, they all use a very similar approach to the risk management lifecycle. Described in the sections to follow, Figure E.3 illustrates the four-stage workflow involved in the risk management lifecycle.
Figure E.3 Risk management lifecycle workflow.
Visualizing Risk
Challenges with demonstrating risk are largely attributed to delivering information in a format that is difficult to interpret. As illustrated in Figure E.4, a mind map is an excellent tool for conceptually representing risk in a non-linear format to build out the framework for assessing and managing the risk.
Mind maps are diagrams based on a centralized concept or subject, such as risk management, with the components revolving around it like a spider-web. Not only does the use of a mind map enhance communications using categorized groupings, it also allows the risk management team to quickly record and capture ideas being discussed during meetings.
Figure E.4 Risk management mind map—communication.
Communication
Communication is an integral component of risk management. It is essential that the key stakeholders responsible for managing risk throughout the organization, such as upper management, understand the reasons why decisions are made and why the selected strategies, techniques, approaches, and countermeasures are required. For this reason, the communication activities performed as part of the risk management process should not be viewed as a sequential stage, but instead represented as a continuous activity across all stages.
With consistent communication, risk information can be more effectively re-used throughout the organization, reducing the need to conduct more than one risk assessment on the same area for different purposes (i.e., planning, auditing, resource allocations). When defining communication activities, organizations might include details that provide direction on the:
• Types of information that needs to be communicated at various stages (i.e., what information do stakeholders need or want);
• Target audience for the distinct types of information (i.e., management); or
• Means used to distribute communication to the target audiences.
Stage #1: Identify
Risk cannot be managed without first recognizing, describing, and having a solid understanding of its (potential) impact. To start, stakeholders (i.e., employees, investors, etc.) should be provided with clear direction on what the organization’s expectations are when it comes to identifying risk. Once informed, all stakeholders should be provided with the appropriate tools and techniques—such as training, workshops, checklists—that will be used to accurately identify risk.
To facilitate stakeholder involvement in the process of identifying risk, organizations should create a taxonomy to ensure the use of consistent and common risk management terminology and classifications throughout the entire process. Further details about how to build a taxonomy can be found in Addendum D, “Building a Taxonomy.”
Through a series of face-to-face or virtual sessions, stakeholders should contribute to the identification of risks as both collaborative and individual participation. After the collective results have been reviewed, the risk management mind map can be expanded further to include the specific components of the identification stage as illustrated in Figure E.5.
Figure E.5 Risk management mind map—identifying.
Stage #2: Analyze
Having identified all relevant assets, threats, and vulnerabilities that constitute risk, the next step is to individually analyze and prioritize all risks that have any potential of generating business impact. Analyzing each risk individually helps to prioritize them so that organizations can focus resources and efforts to managing the most appropriate risk first. When defining assessment activities, organizations might include details that provide direction on:
• Who should be involved;
• The level of detail required;
• What type of information needs to be gathered; and
• How the risk assessment should be documented to deal, for example, with planning activities.
As each risk is analyzed, organizations should consider their risk tolerance as a factor in the final risk scoring. By doing so, organizations will get a better representation of risk by being able to identify the delta between the assessed risk level and what they consider to be an acceptable risk level. Generally, there are several tools and techniques available to analyze and prioritize risks. As illustrated previously in Figure E.2, at a minimum performing a risk assessment involves determining the likelihood of a risk occurring and the level of impact it will generate, ultimately achieving the severity valuation of the risk.
Output from the risk assessment will create an understanding of the nature of the risk and its potential to affect business operations and functions. After determining the impact of each risk, which is the combination of likelihood and severity, the risk management mind map can be expanded further to include the specific components of the identification stage as illustrated in Figure E.6.
Stage #3: Manage
Completion of the preceding assessment has resulted in each risk being assigned a ranking in terms of the level of impact it has on business operations and functions. With this knowledge, the organization must determine how to minimize the probability of negative risks while improving its security posture. This requires that, for each risk, a decision be made on how best to respond and manage the level of impact. Illustrated in Figure E.7, the four responses to risk include:
Figure E.6 Risk management mind map—analyzing.
• Mitigating risk, where likelihood is high but severity is low, through the implementation of countermeasures to reduce the potential for impact
• Avoiding risk, where likelihood and severity are high, by keeping clear of activities that will generate the potential for impact
• Transferring risk, where likelihood is low but severity is high, by shifting all—or a portion of—the risk to a third party through insurance, outsourcing, or entering into partnerships
• Accepting risk, where likelihood and severity are low, if the result of a cost-benefit analysis determines that the cost of mitigating the risk is greater than the cost to implement the necessary countermeasures; in this scenario, the best response is to accept the risk and continuously monitor it
• Details on how to perform a cost-benefit analysis can be found in Addendum C, “Cost-Benefit Analysis”
Where the organization has determined that the best response to a risk is implementing countermeasures, it is important to remember that these controls can be applied in the form of administrative, physical, or technical controls. After determining the best response, the risk management mind map can be expanded further to include the specific components of the identification stage as illustrated in Figure E.8.
Figure E.7 Risk management responses.
Figure E.8 Risk management mind map—managing.
Stage #4: Monitor
Generally, risk is about uncertainty. Even though a formalized risk management program has been implemented, and up to this stage has been able to identify and get control over known risks, organizations need to ensure that it is not performed as a singular activity. Instead, they need to implement continuous monitoring within the risk management program that has two fundamental aspects that are essential to ensuring its effectiveness.
The first aspect is about keeping a close and steady watch on previously identified risks. The advancement in technology evolves the way modern threats, vulnerabilities, and risks can impact business operation. To counterbalance this effect, organizations must be vigilant in how they monitor this anomaly to determine if a previously documented risk has changed. If a change has been detected, the organization should re-assess the original risk to determine if their risk response also needs to be changed.
The second aspect is about identifying any new risks that have emerged. The advancement in technology also introduces new threats, vulnerabilities, and risks that have the potential to generate new kinds of business impact. To counterbalance this effect, organizations must implement and diligently follow a proactive management program to identify when new risks surface. Through a proactive approach, there will be greater opportunities to manage risks before they materialize and avoid impulsive risk response decisions.
The best method of risk monitoring comes from the combined implementation of administrative, physical, and technical solutions. After selecting the most appropriate risk monitoring solution(s), the risk management mind map can be expanded further to include the specific components of the monitoring stage as illustrated in Figure E.9.
Figure E.9 Risk management mind map—monitoring.
Review
Activities performed while reviewing the risk management program are an important aspect of continuous process improvement. Reviewing the collective risk management approach and process is essential to providing stakeholders (i.e., management, investors, etc.) with awareness and assurance that the organization’s overall risk management approach is performing effectively, efficiently, and is still relevant. For this reason, the review activities performed in this workflow should not be viewed as a sequential stage, but instead represented as a continuous activity.
Information gathered during review activities helps organizations to identify opportunities to improve their risk management approach and process to ensure its overall performance remains consistent. To support the activities performed during the review stage, organizations should consider the following:
• Clearly defining the accountabilities, roles, and responsibilities of all stakeholders involved in maintaining the performance of the risk management approach and process
• Using existing governance and assurance functions (i.e., internal audit) to assess the performance of the risk management approach and process
• Documenting the expected outcomes of risk response decisions, such as reducing negative impact or capitalizing on opportunities
• Defining key performance indicators (KPI) to measure the performance of the risk management approach and process
• Building the necessary systems, processes, etc. to demonstrate the findings relevant to the performance of the risk management approach and process
• Establishing a timeline for when and how governance and assurance assessments will be conducted; the outcomes decisions will be communicated to stakeholders
Essential to every activity performed during the review stage is the measurement of the overall performance against the overall implementation strategy. Working together with the communication activities, and in parallel to the remaining risk management activities, review activities validate that the risk management approach and process meet the organization’s need by adding value as a contributor to decision making, business planning, and resource allocation. Where the review activities have identified gaps in the risk management approach and process, such as regulatory compliance or operational efficiencies, actions can be taken to identify opportunities to use more effective approaches, improve processes, or leverage new tools and ideas.
Figure E.10 Risk management mind map—reviewing.
Generally, the documentation and communication of review activities support the organization’s capability to improve its risk management performance through dissemination of best practices and lessons learned. After building the review activities, the risk management mind map can be expanded further to include the specific components of the review stage as illustrated in Figure E.10.
Summary
While there is no one-size-fits-all approach to performing a risk assessment, the overall goal is to gain a better understanding of the business risk so organizations can identify appropriate strategies, techniques, approaches, or countermeasures to manage the impact. Using any industry-recognized risk assessment methodology, organizations can avoid an over-engineered approach of establishing new processes, approaches, or generating loads of paperwork.