For the Information Security professional, ‘Risk’ is at the hub of everything she or he does. Every Information Security framework, every Data Protection Impact Assessment will start with a Risk Assessment.
However, the word ‘Risk’ is often mis-used. We listen to the weather forecast and we hear that there is a “Risk of rain” and so we may take an umbrella to work. But what we’re really hearing is that there is a ‘likelihood’ or ‘possibility’ of rain. We know that ‘Risk’ is a calculation of ‘Likelihood’ multiplied by ‘Impact’ so what our forecaster is actually saying is “It is quite likely to rain today and if you get caught outside when it does you’ll get wet”. Rain is ‘Likely’ and getting wet is the ‘Impact’. Multiply the two together and our ‘Risk’ is really how wet we might actually get. Our Risk mitigation is to take an umbrella.
In the world of Information Security and Data Protection we have to be far more specific if our Risk Assessments are going to be of any use. So we must qualify our Likelihood and Impact statements and quantify the resultant Risk. We do this by clearly defining what the Likelihood of an event is and what the Impact will be if the event actually happens. We then add weight to those statements by saying how ‘likely’ the Likelihood is and the ‘level’ of Impact. This can be used by simply stating whether the Likelihood and Impact is ‘Low, Medium or High’. Thus a Low Likelihood multiplied by a Medium Impact will be given a score of Medium Risk. This is a quick and dirty assessment as we have not stated what a Low, Medium or High Risk actually means, (is a High Risk catastrophic or merely an annoyance?). We could instead grade our ‘Likelihoods’ and ‘Impacts’ by describing them as say ‘Very Low’, ‘Low’, ‘Medium’, ‘High’ and ‘Very High’. But this becomes very messy when we start trying to multiply ‘Very Low’ by ‘Medium’ – will it be ‘Low’ or ‘Medium’ or somewhere in between? So what we do is give our definitions a number. ‘Very Low’ becomes 1, ‘Low’ becomes 2 and so on until we reach ‘Very High’ which is 5. Now, when we multiply ‘Very Low’ by ‘Medium’ we are actually showing 1 x 3 = 3. Our resultant Risk is ‘3’ or ‘Medium’ and we can further add weight by defining a Medium Risk as something that needs attention of the Board, may have a financial penalty or may simply need monitoring.
Not only does this make our Risk calculations much simpler, (it can be easily automated too), we can easily demonstrate this in a graphical representation which Boards just love! It also gives us much more ammunition to drive changes in Information Security practices. A Risk Score of 20 (graded High and coloured Red) should make the Board sit up and take notice. We can then demonstrate that by a few simple changes to reduce the Likelihood or Impact of an event happening we can quickly reduce the Risk to say 15 (Medium and coloured Amber).
For example: If we let every employee have uncontrolled access to the Internet then it is highly likely that there will be a successful cyber-attack, albeit an un-targeted opportunistic virus. The impact may only be annoying as, hopefully, patching and Anti-Virus patterns are up to date. But it could be an opportunistic Ransomware attack which is far more damaging. Now if we get backing from our Board to introduce Internet controls so that only approved categories of web sites are made available and perhaps to disable downloads without the relevant permissions, then straight away we have reduced our Likelihood of cyber-attack. Any change that affect the workforce must be followed-up with education through policies, procedures and maybe a lunchtime presentation. It is always important to explain to employees why changes are absolutely necessary.
Employees and the Board will always speak of and refer to Risk when they mean Likelihood or Threat which is fine but the Information Security professional must be absolutely clear of Likelihood, Impact, if they are going to manage a successful Information Security Framework and Data Protection environment.
In my next article we will look at the anatomy of a Risk Assessment and will be considering Threat, Capability and Intent.