A risk is the possibility that a threat exploits a vulnerability that results in a loss.
Threats
- Adversarial threats – e.g. hackers
- Accidental threats – e.g. incompetent staff
- Structural threats – e.g. old kit, sharing data with suppliers
- Environmental threats – e.g. weather, earthquakes considered to include power & connectivity outages
Vulnerability – some kind of weakness (e.g. weak software patch management, poor firewall implementation)
In most circumstances its possible to put a monetary figure on the loss (though for the likes of military and government systems this may not be straightforward). In all cases it is important to quantify the level of impact. Obviously high impact risks require more attention than low impact risks.
Risk management is the structured process of addressing risks and generally revolves around a risk assessment.
Risk Assessment steps:
- generate inventory of assets and values
- list threats
- list vulnerabilities
- determine the impact if the vulnerability was exploited
- determine likelihood and that a threat would exploit a vulnerability
Qualitative vs Quantitative
- Qualitative assessment: grade threats, vulnerabilities & impacts as Low, Medium & High
- Quantitative assessment: give percentage likelihoods & monetary loss figures
This would typically be followed by an exercise to determine the risk appetite (where the trade-off lies between the impact of loss and the effort/expense to protect) and the generation of a remediation plan to deal with risks above a certain impact level.
Risk approaches
- Avoidance – exit the activity
- Mitigation – take steps to reduce the risk’s likelihood / impact
- Acceptance – accept the risk of loss as part of doing business
- Transference – sub-contracting, outsourcing, insurance