Risk is the likelihood or probability that something unexpected is going to occur. This unexpected result could be either a gain or a loss. In the world of information security, most organizations focus on ways to guard against asset losses. Losses occur when a threat exposes a vulnerability that could harm an asset. Companies employ risk assessment strategies to differentiate severe risks from minor risks. When this is done properly, administrators and managers can make rational decisions about how to handle each risk they’ve identified.
Risk management is the practice of identifying, assessing, controlling, and mitigating risks. In this discussion, the key terms that a person will need to be familiar with are shown in the following list. Each term will be discussed in detail later in the chapter.
NIST Special Publication 800-37 Rev. 2 provides a definition of risk: “Risk is a measure of the extent to which an entity is threatened by a potential circumstance or event. Risk is also a function of the adverse impacts that arise if the circumstance or event occurs, and the likelihood of occurrence. Types of risk include program risk; compliance/regulatory risk; financial risk; legal risk; mission/business risk; political risk; security and privacy risk (including supply chain risk); project risk; reputational risk; safety risk; strategic planning risk.”
Risks to a business can result in a loss that negatively affects the business and its core business functions. A business commonly tries to limit, or control, its exposure to risks. The overall goal is to reduce as much as possible the impact of losses that can occur from risk.
Threats and vulnerabilities are explored in much more depth later in this chapter.
Business functions are the activities a business performs to sell products or services. If any of these functions are negatively affected, the business won’t be able to sell as many products or services. The business will earn less revenue, resulting in an overall loss.
Here are a few examples of business functions and possible compromises:
Because compromises to any of these business functions can result in a loss of revenue, all of them represent a risk. One of the tasks when considering risk is identifying the important functions for a business and ensuring that organizations provide necessary employee training to reduce their weakest links (i.e., people with limited knowledge of technology and security).
The importance of any business function is relative to the business. In other words, the failure of a website for one company may be catastrophic if all products and services are sold through the website. Another company may use its website only to provide hours of operation to its customers; therefore, the website’s failure will have less impact on the business.
Earlier, key terms related to risk were introduced. Their relationship can now be seen. When a threat exploits a vulnerability to gain access to an asset, the threat could potentially result in a loss if the asset is compromised. The impact of the threat identifies the severity of that loss. It is important to note that not all assets are considered valuable. The greater the value attached to an asset, the greater the severity of the loss will be, making the need to put controls in place to prevent the loss from being greater.
A threat is any circumstance or event with the potential to cause a loss. A threat can also be thought of as any activity that represents a possible danger. Threats are always present and cannot be eliminated, but they can be controlled. Assets represent anything of value worth protecting.
Threats have independent probabilities of occurring that often are unaffected by an organization’s action. As an example, an attacker may be an expert in attacking web servers hosted on Apache. There is very little a company can do to stop this attacker from trying to attack. However, the company can reduce or eliminate vulnerabilities to reduce the attacker’s chances of success.
Threats can be thought of as attempts to exploit vulnerabilities that result in the loss of confidentiality, integrity, or availability of a business asset. The protection of confidentiality, integrity, and availability is a common security objective for information systems.
FIGURE 1-1 shows these three security objectives as a protective triangle. If any side of the triangle is breached or fails, security fails. In other words, risks to confidentiality, integrity, or availability represent potential loss to an organization. Because of this, a significant amount of risk management is focused on protecting these resources.
Confidentiality, integrity, and availability are often referred to as the security triad, or the C-I-A triad.
The method used to take advantage of a vulnerability can also be referred to as an exploit.
A vulnerability is a weakness. It could be a procedural, technical, or administrative weakness. It could be a weakness in physical, technical, or operational security. Just as all threats don’t result in a loss, all vulnerabilities don’t result in a loss. A loss to an asset occurs only when an attacker is able to exploit the vulnerability.
Vulnerabilities may exist because they’ve never been corrected. They can also exist if security is weakened either intentionally or unintentionally.
Considering a locked door used to protect a server room, a technician could intentionally unlock it to make it easier to access. If the door doesn’t shut tight on its own, it could accidentally be left open. Either way, the server room and its contents become vulnerable.
A business asset is anything that has measurable value to a company. If an asset has the potential to lose value, it is at risk. Value is defined as the worth of an asset to a business.
Assets can have both tangible and intangible values. The tangible value is the actual cost of the asset and can be expressed in monetary terms, such as $5,000. The tangible assets of a business include its inventory, furniture, and machinery. Examples of tangible IT assets are:
The intangible value is value that cannot be measured by cost, such as client confidence or company reputation. Generally acceptable accounting principles (GAAP) refer to client confidence as goodwill.
For example, a company sells products via a website, and it earns $5,000 an hour in revenue. The web server hosting the website fails and is down for two hours. The cost to repair it totals $1,000. What is the tangible loss?
The intangible value isn’t as easy to calculate but is still important. For example, a customer with an urgent need tried to make a purchase when the website was down. If the same product is available somewhere else, he or she may choose to purchase the product elsewhere. That experience may damage the organization’s reputation in the eye of that customer, and, if the customer’s experience with the other business is positive, the customer may go directly to the second company the next time he or she wants to purchase this product. The loss of this future business cannot be measured, which makes it intangible.
Intangible value includes:
One of the early steps in risk management is associated with identifying the assets of a company and the assets’ associated costs. This data is used to prioritize risks for different assets. Once a risk has been prioritized, identifying risk management processes to protect the asset becomes easier.
The impact is the amount of the loss, which can be expressed in monetary terms, such as $5,000. The value of hardware and software is often easy to determine. If a laptop is stolen, the purchase or replacement value can be used to determine the value of the stolen laptop. However, some losses aren’t easy to determine. If that same laptop held data, the value of the data is hard to estimate.
Descriptive terms, instead of monetary terms, can be used to explain the impact of a loss. For example, losses can be described in relative terms, such as high, medium, or low, which helps an organization quantify the loss by describing the potential harm. The harm might be to operations, such as the inability to perform critical business functions; assets, such as hardware or facilities; individuals, such as loss of personal information, injury, or loss of life; other organizations, resulting in financial losses or damaged relationships; or the nation, affecting government operations or national security.
Published by the National Institute of Standards and Technology, the Guide for Conducting Risk Assessments (NIST SP 800-30) includes the following scale for assessing the impact of threats to the business’s assets:
18.217.144.32