Home > Articles > Investing in a risk management process

Investing in a risk management process

December 9th, 2005

Security risk management requires a proactive approach that can assist organisations of all sizes. A formal security risk management process enables enterprises to operate in the most cost efficient manner with a known and acceptable level of business risk. It also gives organisations a consistent, clear path to organise and prioritise limited resources in order to manage risk. You will realise the benefits of using security risk management when you implement cost-effective controls that lower risk to an acceptable level.

Unfortunately, risk analysis is lacking in the world of IT security. It is important for your company to collectively decide on a common definition of acceptable risk as this will impact the overall approach to manage risk. There are many risk management models in use today. Each model has trade-offs that balance accuracy, resources, time, complexity, and subjectivity.

Investing in a risk management process, with a solid framework and clearly defined roles and responsibilities, prepares the organisation to articulate priorities, plan to mitigate threats, and address the next threat or vulnerability to the business. Additionally, an effective risk management program will help the company to make significant progress toward meeting new legislative requirements.

Comprehensive risk analysis should underpin every security strategy. Not only does it help when dealing with explaining attacks to executives, it also provides a valuable tool for assessing current security initiatives and spend. Determining quantitative risk is a three-part process:

1) Determine the cost of an individual compromise

2) Estimate its likely annual frequency

3) Determine the amount of risk which cannot be removed

The first step is among the most involved yet is also quite straight forward. Through close liaison with staff members from other departments, particularly finance, you can begin to put a monetary figure on each type of attack your organisation could potentially face. As a crude example, company X has 1000 consultants who all bill at Ј100 per hour. A vigilant virus will render the mail server for half of those consultants down for 30 minutes, prohibiting them from performing billable work. You now know the Single Loss Expectancy (SLE) for this kind of virus attack is Ј20,000.

There is a little less science involved in step two – predicting Annual Loss Expectancy (ALE). It can be extremely tricky determining how often your organisation is going to face a particular threat within the next 12 months. Security threats are not seasonal and lodge a timesheet. The best place to start is your organisations historical records. How many times was a particular attack attempted and how often was it successful? It won´t give you the complete picture but it is a good start.

Another good idea is to check in with the ´industry experts´. Find out what they believe the main upcoming risk areas will be. Let´s say the likelihood of the example SLE (above) happening is four times a year then the ALE is $100,000. Many organisations stop the quantifiable risk analysis when they get to step two. This is because ALE is a powerful decision making tool when it comes to making security purchasing decisions.

If the cost of the equipment is less than the ALE then it is a good buy, if not, further assessment needs to be performed. However the board and some executives aren´t interested whether the latest piece of security software is good value, they also want to know the company´s chance of exposure if they were to go without it.

The effectiveness of the security software (the control) to reduce the risk of an attack is known as the ´controls gap´. Basically it is an assessment of the current environment´s ability to mitigate the nominated risk and the influence this has on the financial equation.

Multiplying the total risk for an asset against the controls gap will identify the remaining residual risk, risk that cannot be removed. In the future quantitative risk information will be completely automated and updated in real-time. Until then grab a calculator, take a deep breath and make your way to the boardroom.

Articles

Comments are closed.