Performing a security risk analysis to assess acceptable level of risk
No organization is ever completely without risk, but there are steps that can be taken to establish an acceptable level of risk that can be appropriately mitigated. In this tip, Michael Cobb explains how to perform a security risk analysis to help determine an acceptable level of risk.
Network risks come in all shapes and sizes: a power outage can shut down an entire network, a hacker can compromise servers, a malicious insider can steal sensitive data on a USB key, and these are just a few of the obvious ones. With so many potential risks it can be difficult to determine which an enterprise can live with, which it can't, and which it can cope with when reduced to an acceptable level of risk.
It's fairly straightforward to cost a backup generator to mitigate the risk of a power outage, but what about an implementation to reduce the risk of hackers successfully breaking into your network? This risk can never be reduced to zero, so it's important to determine how much to spend on lessening it to an acceptable level of risk, not to mention how to decide what an acceptable level actually is. This tip will discuss how to do that by performing an enterprise security risk analysis.
Defining an acceptable level of risk in the enterprise
Acceptable risk levels should be set by management and based on the business's legal and regulatory compliance responsibilities, its threat profile and its business drivers. The effect of risk on the business should also be considered, such as a loss of revenue, unexpected costs or the inability to carry on production that would be experienced if a risk actually occurred. Information security professionals need to serve as the intermediary between the threats and management, explaining how underlining security threats could affect business objectives so they can get the balance of security and the acceptable level of risk right.
For example, instant messaging (IM) can bring certain businesses huge gains in productivity, but the practice opens the door to viruses and malware. Qualitative and quantitative analysis can determine the business value of IM compared to the cost of a virus infection and the cost of an IM enterprise server to reduce the risk of viruses.
But what if the number of IM threats increases dramatically? A business using IM would then need to reassess whether continued IM use was within its acceptable level of risk. If not they would need to decide whether to ban it, add additional security controls or simply improve security awareness training for its staff. Every organization will have its own formulas and methods for measuring risk, but the decision-making process for assessing specific risks should begin with a security risk analysis.
Perform a security risk analysis
An enterprise security risk analysis should involve the following steps:
- Identifying company assets.
- Assigning each asset an owner and ranking them in order of critical priority.
- Identifying each asset's potential vulnerabilities and associated threats.
- Calculating the risk for the identified assets.
From there, identify the necessary countermeasures to mitigate the calculated risks and carry out cost-benefit analysis for these countermeasures so senior management can decide how to treat each risk. They have four choices based on the benefits and costs involved:
- Accept the risk.
- Avoid the risk.
- Mitigate or modify the risk by implementing the recommended countermeasure.
- Transfer the risk by purchasing insurance.
It's important to understand, however, that no countermeasure can completely eliminate risk. There will always be some risk; to revisit the IM scenario above, even with the increased security that an enterprise IM server provides, it may not fully eliminate the risk of malware infections or data leaks. Ultimately the goal is for this "residual risk" to be below the organization's acceptable level of risk.
The risk landscape is always changing and so are businesses. A company that decides to bring its online payment system in-house, for example, is likely increasing the risk of a network attack, so stronger perimeter defenses and security policies to protect the payment system from internal threats would be needed to bring the risk down to an acceptable level. It would also face the additional risk of non-compliance with the Payment Card Industry Data Security Standard (PCI DSS), an example of why any risk analysis must take into account legal obligations and regulatory requirements, as well as business drivers and objectives.
A good example of how the risk landscape can change is the Operation Aurora attack against Google in China. The level of risk from these attacks has become unacceptable to Google and the company's reaction has been to avoid this increased risk; that is, pull out of China. While this is an extreme scenario and most companies are unlikely to be targeted to this extent, it serves to illustrate that risk tolerance can and should be a determining factor not only in how IT security and policy decisions are made, but also in the strategy of the organization as a whole.
As you can see, determining an acceptable level of risk is not a one-off activity, but needs to be undertaken when there is a significant change in a business' activities or the environment in which it operates. Whether that means updating policies and training or improving security controls and contingency plans, the risks need constant monitoring to ensure the right balance between risk, security and profit.
About the author:
Michael Cobb, CISSP-ISSAP is the founder and managing director of Cobweb Applications Ltd., a consultancy that offers IT training and support in data security and analysis. He co-authored the book IIS Security and has written numerous technical articles for leading IT publications. Mike is the guest instructor for several SearchSecurity.com Security Schools and, as a SearchSecurity.com site expert, answers user questions on application security and platform security.