editione1.0.0
Updated October 9, 2023The first rule of security management is that you can’t address all of the security vulnerabilities your organization is exposed to. As mentioned in in the introduction, these are called risks.
Definition The process of identifying, measuring, and prioritizing our approach to these issues is called risk management and is the mechanism we use to decide what to deal with and what to record.
Before you are ready to build your security management system, you need to:
define how you will measure and calculate risk
create a mechanism for recording, communicating, and reviewing risks.
Let’s take a look at these in more detail.
Thankfully, we don’t all have to be trained actuaries to calculate security risks. While the actuarial field is a well-established practice for calculating the risk of just about anything, and it’s used around the world in insurance companies and the wider financial sector, in security we have less sophisticated approaches.
While this might sound negative, don’t be put off by it. By simplifying the risk calculation process, we are able to demystify it and share it with our wider team. We don’t need a chartered accountant in a dark room with a book of formulas, we just need a repeatable system we can all understand and that we can apply whenever and wherever we need it.
We calculate risk by considering a vulnerability in the context of its likelihood and its impact on us. This crude calculation allows us to identify the risk as high (important) or low (not important):
Likelihood in this context is the probability or chance that someone or something will expose or exploit this weakness.
For example, if only two keys exist for a lock, the likelihood of someone breaking into that lock with one of those keys can be determined by examining:
Who has access to the keys?
Where are the keys stored?
How hard is it to bypass these protections?
Who else knows this lock exists (and these keys)?
Are we certain there are no more keys?
Where is the lock located and how is it protected?
The answers to each of these questions (and the many we will have missed) affect the likelihood of the risk being exploited.
If something is easy to find, easy to access, and unsecured or otherwise uncontrolled, the likelihood is probably high. If something is hard to find, requires specialist tools and knowledge, and can only be accessed in a specific set of circumstances, then the likelihood is probably much lower.
To calculate the likelihood of a risk for your organization, first you need to articulate the factors that will affect the probability, much like we have in the example above. Then use those criteria to place it on a scale of 1 to 10, from easy to find (most likely to be exploited) to hard to find (least likely to be exploited).
Impact is how we measure the effect of exploiting a flaw in our security. It helps us understand what will happen; what systems, processes, and people are involved; and the effect this exploitation may have on our wider organization.
In security, we often start examining impact by looking at the effect on the confidentiality, integrity, and availability of operations, systems, or services. These effects can be on a system-by-system level or on an organization-wide level.
Let’s get familiar with each of these impacts.