In the Information age upon us, understanding risk is an important element in deciding on the protection mechanism selected to protect information. Information security professionals are challenged with management of assets and other obstacles that make it difficult to implement the appropriate controls. This article will focus on the framework that will help justify the appropriate controls.
No risk can be completely removed. Usually, risks can only be reduced and controls implemented to mitigate the loss of such events.
There are two types of risk analysis in the information security arena, namely quantitative risk analysis and qualitative risk analysis. Quantitative risk analysis, quantifies risk, this means that the risk is given a value and the results are completely based on facts and figures. Qualitative risk analysis is based on subjective information, the result is a feeling of how vulnerable or how high the risk may be. The difference between the two methods is fact and opinion. However, most analysis is based on the opinion, or qualitative, version of the analysis.
Risk and the calculations
When calculating risk, it is useful to understand what the cost of the asset you are trying to protect is. When it comes to a vast business asset like data, only experienced risk assessors can quantify the cost of the asset. This requires input from various parts of the business, if the data is spread business wide. Data has always been a difficult asset to assess and quantify, for this reason consider the following...
The cost of the data is not only the measured by the impact the data will have on the business if the data was not available but their is also a cost to maintain, reproduce and reconstruct back to the same level as before the loss. Therefore all of these factors should be considered.
The formulas to calculate the value of the data can be highly complex and difficult to understand and quantify.
Let's take an example of data stored on your mobile phone, and work on a simple calculation to calculate the value of the data, against the risk of loss.
A mobile phone that costs $500 with the operating system, has approximately 5 other payware applications loaded at a cost of $300 (software like GPS, viewers, backup tools, etc). The time it takes to load the software can be calculated at about half a day, for argument's sake let's say this will cost $100. The time it takes to configure the mobile phone and capture all of the contacts and information costs $100. The total cost of the asset plus the device cost is $1,000. The impact of the user not being able to access the device will cost $400; this is because the user will need to spend time reloading software, coupled with the other time lost whilst the device was offline.
The mechanism to protect the data asset could be defined as a piece of software or hardware in the form of a backup device or a replica of the software in some other form.
So how do we calculate risk?
Calculating the eventuality is the key to calculating risk. We are meant to learn from our history and in this spirit we should look at the frequency of each threat agent. Threat agents manifest themselves in many forms, below are a few examples.
There are various threat agents to consider when calculating risk. Here is a list, which is by no means comprehensive, but which will give you an idea of what is out there.
- Natural Disasters
- Manmade threats
- And many other similar issues
There are multiple calculations that can be performed to quantify risk. A simple calculation is Risk = Probability of the Risk X Cost of the Eventuality.
Single Loss Expectancy (SLE) = Asset Value (AV) X Exposure Factor (EF)
Once you have calculated this you can use the following formula,
Annual Loss Expectancy (ALE) = Single Loss Expectancy (SLE) * Annual Rate of Occurrence (ARO)
For more information you can read Risk Assessment and Threat Identification.
There are many ways to manage risk, in many cases the risks are countered by implementing a control that reduces or limits the risk, for example, to reduce the risk of fire a fire alarm and flame retardant system is installed.
Tips from the trade
When limiting the risks, remember to isolate the asset that you are protecting. If you isolate the asset when you apply the control you will find that more cost-effective than applying the control to the whole environment. It might make more sense to remove the vulnerable asset from the environment; this will in turn lessen the risk.
When managing risk, it is important to understand what the countermeasure to risk is. These come in the form of a controls, either a technical or administrative control is implemented as countermeasure.
These are controls types that can be installed and applied to mitigate the risks. Controls like Antivirus, backups, Encryption, Access Controls, hardware and software controls.
Logical controls are also known as technical controls. The best approach is to implement the mode of least privilege this will ensure that only the legitimate users or subjects have access to the asset in question.
Physical controls are controls that can be implemented physically to control the access to the assets, things like locks, burglar bars, cameras, barricades, fencing, security guards and dogs are good examples of physical controls. Separation of duties forms an important part of the physical controls as this is a soft part of the control.
These are controls that are written like policy and standards, which are implemented to reduce the risk. Examples are security policies and such documents.
Things to consider
When analysing the risks you should always consider the input that the client has into the process. This input is often an opinion and has little bearing on the situation unless it is properly understood and filtered by an experienced risk analyst. All information should always be verified as it is easy for the client to influence the results by responding to the questions is a specific way; this is why the assessor should be accredited and experienced in the field of risk.
On many occasions the assessors that I meet have little knowledge on risk profile and how risk analysis should be performed. Typically the assessors are young folk just out of college with little experience and are only following a framework handed to them by the organisation that is consulting the client. These frameworks are designed to identify the risks if filled out correctly, but in many cases the customers being interviewed can easily change the result by carefully crafting their response. This nullifies the response and the risks are not clearly identified and the correct countermeasures are not implemented.
Data classification is something that is becoming a more common control, this is a good example of a soft control that is both logical and administrative and that can help in reducing risk as it allows the organisation to protect only sensitive data and not all data. In this way, the cost of the solution is greatly reduced as only the sensitive data is protected.
In this article we went through risk calculations and the types of controls that can be implemented. Understanding the basics around risk and the assessment mechanisms will help in defining countermeasures and controls. As a wise man once said it's better to be two years early than one day too late.