The idea of risk in IT security and cybersecurity refers to anything that might go against the CIA triad. Any actions or events that may compromise the confidentiality, integrity or availability of the data will be considered a risk.
No system is perfect, therefore, the only options available will be reduce the risk to an acceptable level, it’s risk management.
To do so, we will have to perform a risk analysis, evaluate each threat, their frequencies, the losses in case of realization and finally, calculate cost/benefit ratio for the protection to put in place.
It’s this aspect of risk management that I will to develop (summarize actually).
First of all, risk analysis and of course risk management must come from the will of the organization’s management and result directly from the corporate strategies defined by themself. Even if this analysis is conducted by security professionals, it should be limited (by the strategies mentioned earlier), understood and validated by upper management because they remain the ultimate decision-makers.
Risk assessment can be done by two different methods: quantitative, qualitative. When both are used simultaneously we talk about hybrid method
Quantitative Analysis :
This one is, so to speak, concrete. In the sense that we ensure that all aspects are measurable, quantifiable, accounting (in euros, or a few is your currency). In other words, a very clear document for a financier.
To make it, we will give the assets a value(AV), we will identify the threats associated with each asset and we will establish the probability of realization of each one of them (EF)
From this, we can calculate different costs as Single lost expectancy (SLE) which is the loss associated with a risk realized on an asset or Annual lost expectancy (ALE) which is the loss associated with the set of risks realized on all the assets. These maths will serve as a scale to evaluate and choose the possible safeguards/countermeasures.
Qualitative Analysis
This type of analysis will be based on the appreciation, judgment, and experience of the auditors. Here, the threat is expressed by a note on a scale previously defined in order to evaluate the cost, the risk and the effects. We will use different kind of method such as brainstorming, storyboarding, questionnaires or the Delphi technique which consists of having anonymous feedback from stakeholders in order to reach an equally anonymous consensus. There are others, but all these methods will be based on a scenario which the threat and the scope of impact are defined. It is important for these methods to engage all levels of the organization to be as most accurate as possible.
When I look back, I realize that most analysis that I have done for the implementation of a firewall, anti-spam or antivirus were more qualitative than quantitative. Experience and scenarios were used to assess threats, risks and effects. The quantitative vision was often like “what is the budget?”. But, also, we have to keep in mind that in these particular cases it’s all the organization’s assets that benefit the protections provided by these safeguards.
We can easily understand that hybrid analysis will give us better results because
The combination of the two will take into account different approaches and therefore a cross-check that will allow us to be more efficient.
The risk analysis (very very… very summarized here) is only a part of the risk management but nevertheless its basis.
Let’s go for the next chapter !…
Olivier CAFÉ 