3. Information risk management

Risk - Definition

Risks exists at the intersection of a threat and a corresponding vulnerabilidy

Vulnerability

A scan identifies a server exposing its TCP port 22 to the outside world, enabling brute-force attacks

Thread

Attacker with brute-force scanning tool

Risk identification

Requires identifying the threats and vulnerabilities tha exist in your operating environement

Types of risk

• External risks

• Internal risks

• Multiparty risks

• Legacy systems (posing unique type of risk to the organization)

• Intellectuals property theft risks

• Software compliance/licensing risks

External risks

Those risks that originate from source outside the organization including

• cybersecurity adversives,

• malicious code,

• and natural disasters

among my other type of risk

Internal risks

Risks that originate from within the organisation such as

• malicious insiders

• mistakes made by authoried users

• equipment failures

and similar risks

Multiparty risks

Risks that impact more than one organizations. For e.g.

• power outtage to a city block

• compromise of SaaS providers database (results in compromising the information of multiple customers)

Legacy systems

Unitque type of risk to the organization. Outdated systems do often not receive any further software updates and cybersecurity professionals must take extraordinary measures to protect such systems agains unpatchable vulnerabilities

Intellectual property theft

Information compromising the organization’s business advantages if disclosed

• Trade secrets

• Other properitary information

Software compliance / licensing risk

When an organizations licenses software intenionally or accidentialy run afoul of usage limitations that expose the organization to financial and legal risk

Risk calculation

Consists of two different factors:

• likehood of occurence

• magnitude of impact

Likehoof of occurence

Probability, that the risk will occur. Expressed as percentage of chance that the threat will exploit a vulenrability over a specified period of time

Magnitude of impact

The height of financial costs for the organization if this risk occurs

Risk severity

=Likehood x Impact

Risk assessment

Formalized approach to risk prioritization that allows to conduct risk reviews in structured order (priorization)

Risk assessment methodologies

• Quantitative risk assessment

• Qualitative risk assessment

Quantitative risk assessment

A structured approach to evaluating risks using numerical values and statistical methods to measure the likelihood and potential impact of risks.

Qualitative risk assessment

A method of assessing risks based on subjective judgment, descriptions, and categorical ratings rather than numerical values. It helps identify and prioritize risks based on their characteristics.

Quantitative risk assessment methodology

• Determine the asset value (AV) - Expressed in dollars or other currencies

• Determine the likehood the risk will occur - The number of times the risk is expected to happen each year (annual rate of occurece - ARO)

• Determine the amount of damage that will occur to the asset if the risk materializes. This is known as the exposure factor (EF) and is expressed as the percentage of the asset expected to be damaged.

• Calculate the single loss expectancy. The single loss expectance (SLE) is the amount of financial damage expected each time this specific risk materializes / happens (AV x EF)

• Calculate the annualized loss expectancy. The annualized loss expectancy (ALE) is the amount of damage expected from a risk each year (SLE x ARO)

Qualitative Risk Assessment

Quantitative risk assessments techniques seek to overcome the limitations of quantitatvie techniques by substitutiing subjective judgement for objective data. They use still the same probability and magnitude factors to evaluate severity of a risk but so so using subjective categories to assess likelihood and impact based on expert opinion and experience. For e.g. "high," "medium," "low" ratings. This is used were it is not possible to directly calculate the financial impact of a risk.

Risk reassessment

The process of regularly reviewing and evaluating risks to ensure that the risk management strategy remains effective. This involves updating risk analyses, considering any changes in the environment or organizational structure. Organizations should maintain as set of Key Risk Indicators (KRI) that facilitate risk monitoring. These KRI’s are quantitative measures of risk that may be easily monitored for situations where they exceeded a defined threshold value or worrisome trends.

Reassessment should take place whenever KRI’s or other factors suggest that the reassessment is undergoing a significant change.

Risk treatment

Risk treatment is the process of systematically responding to the risk facing an organization.

Risk assessment provides two important roles in the risk management process

1. The risk assessment provides guidance in prioriitizing risks so that the risk with highest probability and magnitude are addressed first

2. Quantitative risk assessments help determine whether the potential impact of a risk justifies the costs incurred ba adopting a specific risk approach

Risk management strategies

1. Risk mitigation

2. Risk avoidance

3. Risk transference

4. Risk accpetance

Risk mititgation

Is the process of applying security controls to reduce the probability and/or magnitude of a risk. Risk mitigation is the most common strategy in risk management

Each of the applied security controls should

• reduce the probability a risk will materialize

• reduce the magnitude a risk if it occurs

• or both the probability and hte magnitude

Risk avoidance

The risk management strategy by which we change the business practice to completely eliminate the potential that a risk will materialize. Risk avoidance strategies typically have a serious detrimental impact on business operations or objectives.

Risk transference

Shifts some of the impact of a risk from the organization experiencing the risk to another entity. The most common example is purchasing a insurance policy that covers a risk.

Risk acceptance

Risk accpetance is the final risk management strategy, and it boils down to deliberately choosing to take no other risk management strategy and to simply continue operations as normal in the face of the risk. A risk acceptance approach may be warranted if the cost of mitigation a risk is greater then the impact of the risk itself.

Risk analysis

• The inherent risk facing an organization is the original level of risk that exists before implementing any controls

• The residual risk is the risk that remains after controls are applied to mitigate, avoid and/or transfer the inherent risk.

• The risk appetite is the level of risk that the organization is willing to accept as a cost of doing business

An organiztion begins with its inherent risk and then implement risk management strategies to reduce that level of risk. It continues doing sountil the residual risk is at or below the oganizations risk appetite

Control Risk

The world of public accounting brings us the concept of control risk. Control risk is the risk that a company's internal controls will not prevent or detect material misstatements in financial reporting. Information technology risks contribute to control risks if they jeopardize the integrity or availability of financial information. For this reason, financial audits often include tests of the controls protecting financial systems.

Risk matrix / Risk heat map

• Used to communicate risk management concepts to senior leaders

• Quickly summarizes risks and allows senior leaders to quickly focus on the most critical risks facing the organization and how those risks might impact organizational goals and objectives.

• The matrix categorizes risks based on their likelihood and impact, helping prioritize risk mitigation efforts.

Enterprise Risk Management

As organizations seek to adopt a systematic approach to enterprise risk management, they should work to integrate risk management practices into normal business and information technology processes. Mature organizations don’just treat risk management efforts as siloed projects but rather as integral components of their day-to-day work. For e.g. the following areas should incoporate risk management

• Software and systems development: New and modified systems are a potential source of risk to the organization. Integrating risk assessment and response practices help ensure that the organization integrates security from the start and does not need to “bolt on” security controls after the fact in a costly and error-prone approach

• Procurement: Any new or renewing realtionship with a vendor should include a formal risk assessment that identifies potential risks associated with the realtionship and implements appropriate risk treatments

• Project management: Project management procedures should incorporate risk assessments that identify new or changed risks that arise during the course of a project and address them appropriately

Disaster recovery planning

The disaster recovery planning process creates a formal, broad disaster recovery plan for the organization and, when required, devlops specific functional recovery plans for critical business functions. The goal of these plans is to help the organization recover normal operations as quickly as possible in the wake of disruption

Disaster types

• Natural environment disaster (flood, hurricane, earthquake)

• Human origin of external disasters (terrorism, cyber attack) but also internal to the organization

From a disaster recovery planninf perspective, a disaster is any event that has the potential to disrupt an organizations business

Business Impact Analydids

The Business Impact Analysis (BIA) is a formal process designed to identify the mission essential functions within an organization and facilitate the identification of the critical systems that support those functions:

• MTBF: Mean time between failures is a measure of realiability of a system. It is the expected amount of time that will elapse between system failures

• MTTR: The mean time to repair is the average amount of time to restore a system to its normal operating state after a failure

• RTO: Recovery Time Objective is the amount of time that the organization can tolerate a system being down before it is repaired. Expectations are meet when the time to repair is less than the RTO

• RPO: Recovery Point Objective defines the maximum acceptable amount of data loss measured in time. It indicates how far back in time data must be restored after a failure to minimize impact on the organization.

Single point of failure

As organizations evaluate the state of their environment, they should pay particular attention to single point of failures.A single point of failure (SPOF) refers to a component or aspect of a system whose failure would lead to the failure of the entire system, emphasizing the need for redundancy and risk mitigation strategies in planning.

For examples

• Only on power supply

• A single server providing the organizations web page