CyberSecurity: Risk Management - The Risk Identification Process

At its heart, information security is all about managing risk.

What is risk? 
Risk is the probability of a loss. It's the chance of something adverse happening to our interests.

Risk Management?
Risk management is understanding how bad the loss from an adverse event can be, and how we can get the risk down to a level we can absorb. A loss is an event that can negatively affect our information assets, such as  

• unauthorized/unwanted access,  
• destruction, 
• modification,  
• theft or  
• denial of access. 

Risk management involves a preparation and planning phase followed by a risk identification phase, a risk assessment phase, a risk appetite determination phase, and then a risk control phase.

• Risk identification is where we seek to determine if risk exists from known vulnerabilities as well as threats that we can identify that may attempt to exploit those vulnerabilities or find new ways to cause us loss. 
• Risk assessment is the determination of the extent to which our assets are at risk. 
• In determining our risk appetite, we determine and document how much risk we can tolerate? 
• Risk control is where we plan additional appropriate controls to reduce excessive risk to that defined acceptable level. 

Risk management also means that we continue to monitor our risk environment until we need to begin the process again.



Risk identification is the first phase of the process, the first step in risk identification involves identifying, classifying, and prioritizing our assets. Information assets are found across the organization not just in data basis or on service. Information exists in filling cabinets, on personal computers and numerous other locations. Once identified, assets must be evaluated and place in the classes or categories to determine who cannot access to it. Many approaches to classifying data exist. One common approach is signs asset as one of public, official use only, or confidential. After classification, assets must be assess for a value it has to the organization. Using this information, we'll be able to determine each assets needed level of protection.

When assessing the value of an information asset, there are a number of questions we could use.
Like: Which information asset...

• is the most critical to the success of the organization?
• generates the most revenue?
• generates the highest profitability?
• is the most expensive to replace?
• is the most expensive to protect?
• loss or compromise would be the most embarrassing or cause the greatest liability? 

Placing an exact dollar value on most assets is very difficult. However, we can place relative values to help us prioritize them. One method uses a weighted factor table to assess and compare the worth of our assets.



This is done by first listing the criteria we care about and then assessing each asset using those criteria. This allows the creation of a weighted score. Which helps us to compare the value of dissimilar assets within our organization. The second step in risk identification is to identify and prioritize the threats to our information assets. We can identify threats by looking for studies and surveys published in trade and academic journals. This study published by the communications of the ACM, identified 12 categories of threats to information security.



Other such lists have been published as well. Just as we assessed our assets, we must assess the threats facing them. The questions shown here could be used as criteria in a weighted table to prioritize threats.



Threat Assessment questions: Which Threat:

• Present danger to this organization's information assets in its current environment?
• represent the gravest danger to the organization's information assets?
• have the highest probability of success?
• could result in the greatest loss if successful?
• is the organization least prepared to handle?
• cost the most to protect against?
• cost the most to recover from?

Summary:
There are four ways of managing risk

1. avoiding the risk – avoidance would mean stopping the activity that is causing the risk. For example, deleting all banking information and unsubscribing from internet banking would avoid the risks associated with the information assets related to banking.
2. modifying the risk (likelihood and/or impact) – this involves choosing and implementing a security mechanism that reduces the likelihood of a successful attack, or the impact that would result from such an attack. For example, installing an up to date antivirus application can prevent the attacker from using malware to gain access to the computer holding the internet banking information.
3. transferring the risk to others – typically involves taking out insurance to cover any losses in the event the threat materialises.
4. accepting the risk – would mean choosing not to implement any of these countermeasures, choosing instead to monitor the information asset for any attacks.