Risk management is a crucial business concept that has been with us for a very long time, but which must be reexamined in the context of Information Technology. Risk, in business, is an assessment of the probability of encountering a threat or problem, and understanding the resulting impact should that threat be realized. Risk assessment typically includes identification, assessment, and prioritization of risk, and the deployment of resources to minimize the likelihood of a problem, or to mitigate the impact of a problem if it should occur.
IT risk management, including security risk management, is risk assessment as it relates to information systems specifically, and is only one of many areas of risk an organization must take into account. However, it has become one of the most important areas for organizations to consider when assessing risk, as data and information are now among a business’s most valuable assets. Complicating matters, because information management and technology requires that systems must function in extremely complex and interconnected ways, these systems present vulnerabilities that are unique to information-intensive environments.
Defining Risk Management in IT
Security risk in the IT space specifically refers to the possible harm that may arise from various vulnerabilities in information-oriented systems and processes. IT risks include failures in the availability of an information system or the integrity of the data stored there, including protection from accidental causes such as natural disasters or hardware failure, as well as the confidentiality of data and safety from attack or misuse. IT Security Risk Assessment is specifically focused on this latter area, but must incorporate this concern into larger Risk Assessment plans.
Risks posed to information systems can be classified as one of the following:
- Natural Threats: Earthquakes, hurricanes
- Human Threats: Intentional (malicious attacks, sabotage) or accidental (errors in data entry)
- Environmental Threats: Water damage, structural failure
- Equipment Failure Threats: Power failure, backup failure
The goals of security risk management are:
- Assessing security risks and vulnerabilities
- Setting risk tolerance – how much risk is acceptable?
- Understanding risk probabilities
- Implementing safeguards and protections – basic solutions like encryption and malware
- Staying current with the state of cyber-security, both attacks and state-of-the-art protections
- Ensuring senior management understands the importance of good safeguards and good data governance
- Ensuring business and IT needs are met
- Creating training programs for employees, partners, and vendors, to limit the vulnerabilities to social engineering attacks
Components of risk management
Security risk management is built on four essential cornerstones help define the scope of the task: framing risk, assessing risk, responding to risk, and monitoring vulnerabilities. To some extent, these are iterative processes rather than linear, so although framing risk may be a foundational step that informs assessing risks, the outcomes of risk assessment will likewise inform further framing of risk.
Framing risk describes the environment in which risk-based decisions are made, for the purpose of creating a realistic and effective risk management strategy. This is an important step because in order to correctly assess risk, it is necessary to understand the context in which risk occurs. For instance, in order to service customers, a business may need to make an ecommerce application available to their customers, but by doing so, they open up an entry point for malicious attacks. The company must take this risk in order to do business, so the risk must be assumed. Further steps will provide prevention and response plans, but context dictates that the risk cannot be avoided.
In order to frame risk in a realistic and credible way, organizations should try to define:
- Specific risks – system breaches, social engineering infiltration
- Characteristics of the risk- assumptions about the threats and vulnerabilities, the probability of the risk, the consequences and impact
- Risk tolerance- levels and types of risk; to what degree risk is acceptable
- Prioritization of risks – which risks merit the most attention for mitigation and response plans
Assessing risk is performed in order to assure that prioritization is correctly done so that resources can be correctly and efficiently deployed to prevent or mitigate risk, to monitor systems based on both vulnerability and value, and to identify the consequences and impact of a threat.
In risk assessment, goals are to:
- Identify what threats to the organization exist
- Define the internal and external vulnerabilities
- Quantify the impact of a security failure
- Understand what the probability is that harm will occur.
The end result of risk assessment is a clear determination of risk –that is, how likely a security failure is to occur, how much damage can result, and what is the likelihood that this outcome will happen.
- Responding to an identified risk is an important goal of security risk management. This is not the same as responding to an actual attack, although this part of the planning should include a response plan for dealing with breaches once they occur. But in the risk assessment process, responding to a risk means deciding how to deal with that risk: what resources can be devoted to its mitigation, prevention, and monitoring. The goal is to ensure that there exists a defined, pan-organizational response to risk that is proportional to the risk’s priority. Each identified risk should have multiple responses identified to deal with it, also prioritized. The primary ways of responding to risk are:
- Monitoring risk over time is done to:
- verify that the security plan is implemented;
- ensure that plan provisions are in keeping with organizational missions and business requirements, including legislative and regulatory requirements;
- measure the effectiveness of the security risk management policy following implementation;
- continue to identify new technological risks as they appear;
- be informed of business changes and be able to identify any new risks associated with such changes;
- Ensure that new risks are incorporated into the plan as needed.
At all points it is important to define how compliance is achieved and how it is verified, and how effective the security risk plan is on an ongoing basis. A thorough plan will include what methodology is used to measure compliance and effectiveness.
Process for Managing IT Security Risk
Security risk management in the IT space demands the participation of an entire organization, integrating the requirements of all aspects of the business with the needs and expertise of IT in order to effectively negate or minimize the risk of an attack or failure of an organization’s systems. These systems include collection, storage, and processing systems, as well as – most likely – a company’s web site and online customer-facing applications.
The potential failure of such critical systems must be made clear to executives so they understand why they must be committed to security risk management as an essential business requirement. Only with the full support of senior management can sufficient resources be found to create, implement, and sustain effective security risk management programs.
Although some attempts have been made to make it mathematical, risk management is not a perfect science, and is generally based on estimates and incomplete information. But the more one can understand of the impact of security risk management on the organization as a whole, the more one can assess risks and consequences accurately.
NIST suggests security risk management programs be implemented using a three-tiered system, with each tier feeding down and helping to define the tiers below it:
Organizations must be committed to IT security risk management as a fundamental business requirement, as data is now a valuable – and sometimes heavily regulated – asset. Organizations should have the following security risk management measures in place:
- Governance policies to ensure that an IT security risk management plan is in place, to ensure that the risk management plan aligns with business objectives, that resources are allocated to address risk management, that outcomes are measured, monitoring continued, and that the goals of the plan are achieved.
- The Risk Executive is established as a role or position within the company to drive the continuing development and implementation of security risk management strategies. The Risk Executive ensures compliance with the risk management plan and its goals, maintains ongoing risk assessments to ensure the plan stays current with the risks, collects input from all areas of the organization to assure all forms of risk are being considered, and to assume any other responsibilities associated with implementing and maintaining a security risk management plan.
- A Risk Management Strategy, as discussed above, is formalized and implemented.
Mission/business process level
Business processes and organizational missions help inform security risks, and in turn are informed by Tier 1 activities to incorporate policies to minimize risk and mitigate damage. Business stakeholders can help with this goal by implementing:
- Risk-aware business processes that, according to NIST, “explicitly take[s] into account the likely risk such a process would cause if implemented.” In other words, when developing risk-aware business processes, it cannot be done in a vacuum, but by its own definition, includes the awareness of risk in a new process. The more aware, the more the business process owner can contribute to mitigating IT security risks.
- Enterprise architecture to ensure all organizational assets are stored and accessed in compliance with governance models. A unified architecture allows enforcement of defined security policies across the organization.
- Information security architecture is the part of the enterprise architecture that is dedicated to ensuring that security needs are met, including regulatory requirements, across an organization.
Information systems level
This tier is focused on ensuring that security risk needs are met at a systems level, at all phases of a system lifecycle: initiation, development and acquisition, implementation, operations and maintenance, and finally, disposal.
The NIST model is useful to envision how a security risk management plan should look, and with that model in mind, one starts in Tier 1 by identifying threats and vulnerabilities, determining the likelihood of each, and defining the impact for each risk. Different methodologies can be used to do this, most of them falling into one of the following categories:
Quantitative risk assessment does its best to allow assessment by the numbers, assigning values to information, systems, client application activity, recovery costs, and so on. By doing so, risk and impact can be measured. Depending on how detailed this numeric assignment can be made, direct and indirect costs can be assigned, and risk levels derived from that. Indirect costs are difficult to measure, however. Information is particularly tricky to assign a value to. Many numbers in such an assessment are largely guessed at, and thus a large margin of error is unavoidable in quantitative risk assessments for information systems.
In addition, the cost-effectiveness of trying to do a quantitative risk analysis on an information system, with all of its assets and sometimes petabytes of data, quantitative risk assessment is often not cost-effective. However, if the data can be reliably valued, qualitative risk assessment is a powerful tool, especially when communicating with numbers people – very often the people who allocate resources?
- Qualitative risk assessment provides an alternative when the numbers are not well known, but the results are accordingly less concise. Qualitative risk assessment looks at risk and impact and assigns values in subjective terms, usually resulting in risk results rated high to low, either in descriptive words or in scales of one to five or ten. These numbers or qualities are much harder to use to communicate urgency to management, but defining risk as “low” “medium” or “high” may be more accurate than trying to calculate from unreliable values.
IT security risk management is based on good information from experts in the industry. Many companies believe they have successfully fostered a culture of security and care, and maybe they have. No matter how careful your people are, no matter how robust your systems, risk exists, and it’s important to fully understand an organization’s existing vulnerabilities, and to have a response plan in place for each of them. This is the crux of IT security risk management: to know what that risk is, and to build your business in the way best designed to mitigate or balance the risks.