I wrote this in 2018 and don’t believe it ever made it to the interwebs, so I’m basically posting as is with an extra section for some useful links! Hopefully it still stands the test of time!
Risk Management doesn’t have to be risky!
Risk assessments are complex, they require cross domain knowledge and generally do not deal in absolutes. Threats, vulnerabilities and asset intelligence is combined, weighed and assessed, leading to the construct of a risk assessment document. It can be easy to overcomplicate this process, which in turn (in my experience) often leads to far wider reaching consequences (the business starts to bypass security management or take short cuts), so I thought I would write a short post to clarify what I’ve seen work out in the field. So, to start with let’s try and align on what exactly a risk is.
What is a risk
According to NIST the following is a definition of an information security risk:
Risk: Risk is a function of the likelihood of a given threat-source’s exercising a particular potential vulnerability, and the resulting impact of that adverse event on the organization
This leads us to need to understand threat, and vulnerabilities:
Threat: The potential for a threat source to exercise (accidentally trigger or intentionally exploit) a specific vulnerability
Vulnerability: A flaw or weakness in system security procedures, design, implementation, or internal controls that could be exercised (accidentally triggered or intentionally exploited) and result in a security breach or a violation of the system’s security policy
Risk management is the combination of risk assessment and risk treatment.
Quantitative vs Qualitative Risk Assessments
Risks assessments are not black and white, they are many shades of grey. There are many different frameworks that can be leveraged (OCTAVE, FAIR, NIST RMF, TARA etc.)
The big wide world – Risk management and real-world experience
Over the years of consulting and working on many sensitive projects some key principals seem to apply to enable risk management to improve security posture whilst ensuring business flow is enabled. To that end I’ve tried to construct a few of the key elements that I think enable risk management to enable business value (and of course increase security posture!):
- Construct a risk appetite statement, this will set out the risk tolerances and define a risk acceptance policy.
- Risk assessment should be proceeded by asset discovery, crown jewel analysis, data flow modelling and threat modelling.
- Leverage a risk assessment method that works with the stakeholders, overly complex formula for risk assessment and a convoluted process will greatly reduce the value of the risk management process
- Risk statements must be relevant to the audience/business
- The risk management discovery process should include views and viewpoints from a range of areas
- Risks statements should be pragmatic and deal with relevant threats and vulnerabilities
- A risk assessment should be conducted with a sound understating of the business and equally a sound technical discovery.
- Risks assessments should include a statement of the current state controls
- Risk assessment must include risk treatment plans, without these, the output of the risk management process has severely limited value
- Risk management needs a working group/committee etc. to review and work through the risks, it’s important there is sufficient representation across domains so that focus is not only in one area e.g. availability
References and Supporting Materials
Risk Appetite Guidance Note (publishing.service.gov.uk)
Management of risk in government: framework – GOV.UK (www.gov.uk)
Risk management guidance – NCSC.GOV.UK
There’s not one way to manage risk, each organisation should adapt and adopt good practises (I’d strongly recommend tailoring a risk management and assessment framework, oh and keep it as simple as it can be to achieve the goal). Generally, the key aims are to provide a view on current state assets, threats, vulnerabilities and enable the business to deliver its mission ensuring all corporate, legal and regulatory requirements are met. Hopefully some of the tips in this blog will help you avoid a messy risk management meeting or two!