Information Security - Lexicon (2/3)

Risk - Threat - Vulnerability

This article will try and simplify the understanding of three key inter-related terms viz. "Risk", "Threat" and "Vulnerability".

Threat : An entity (event/ incident/ person/ hardware/ software) potentially harmful to a system/ 'asset' (organisation/ hardware/ software/ individual).

• Can be identified/ recognised by the 'owner' of the system.
• May be known before setting up the system (preferably), or may come to light after a damage (harm) has occurred.
• Example: Thief(ves)/ Theft, Malware, enemy state, terrorist(s), competitor(s), employee(s), natural calamity, fire etc.

Vulnerability : A 'weak link'/ 'weakness' in the system which may be exploited by the threat to cause harm/ damage.

• May be peculiar to the system (software vulnerabilities) or generic to the environment (fire, flood, disasters).
• Example: broken locking mechanism, easy to guess password, lack of security guard, absence of alerting mechanisms, Flammable substances in office space, inadequate access control etc.

Risk : The extent/ potential of damage when a threat exploits the vulnerability.

• Depends on the value of the asset which is exploited. The value may not always be monetary, it can also be loss of reputation, loss of life(ves), loss of intellectual property etc.
• Calculated based on the 'likelihood'/ 'probability' of the occurrence of an incident (Threat exploiting a vulnerability) and its potential 'impact'.

We evaluate risk consciously/ sub-consciously for every decision we take in the normal course of our lives. These include the decision of time to get up in the morning, the decision of the medium of commute to our workplace, our career choices, our food choices, our choices for pretty much everything in life!

Calculation of Risk : To "manage" risk, it is essential to "quantify" it. Let us have a brief introduction to the foundational concepts (Likelihood and Impact) through which we quantify the risk.

Likelihood: How frequently is the threat expected to materialise (by exploiting related Vulnerability) in a given period of time. It may be calculated/ indicated in the following manners:

• Qualitative Assessment: On a scale of 1 to 5 with '1' signifying least likely and '5' signifying most likely. This approach would generally be taken where historical data/ supporting data related to past occurrences may not be available or are influenced by our past experiences and opinions. For example, likelihood of employees getting upset/ revolting against the management at a newly established firm (lack of historical data). On the other hand, while likelihood of road accidents on a highway being opened for public in the near future may not have any historical data but data derived from similar highway(s) operating under similar condition may be used to predict a quantifiable likelihood.
• Quantitative Assessment: Through a calculated "Annual Rate of Occurrence (ARO)" based on historical/ derived data. For example, likelihood of tornado/ earthquake in particular region may be predicted based upon the historical data. A location experiencing an earthquake every 10 years would have an ARO for earthquakes as 0.1 (1/10).

Impact: How much would be the loss/ damage on the single occurrence of an incident (threat successfully exploits the vulnerability).

• Qualitative Assessment: On a scale of 1 to 5 with '1' signifying least damage and '5' signifying most damage. This approach would generally be taken where the damage cannot be quantified (in terms of money or any other tangible unit). For example, reputational loss. The asset owner determines the extent of damage based on the 'value' of the asset to the owner.
• Quantitative Assessment: Through a calculated "Single Loss Expectancy (SLE)". The SLE indicated the expected loss/ damage to the asset in tangible terms. It is in turn calculated from two key terms viz. Asset Value (AV) which is generally the value of the asset concerned in monetary terms and the Exposure Factor (EF) (ranges from 0 to 1) which signifies the exposure of the Asset to the concerned threat.

Single Loss Expectancy (SLE) =

Asset Value (AV) * Exposure Factor (EF)

• Let us consider the prospects of constructing a building worth 100,000$ either on a beautiful cliff edge or in the valley in the same city known to have past occurrences of an earthquake. Therefore, while the AV in both cases remains the same, the EF may be considered 1 for the location on the cliff and 0.5 for the location in the valley. Accordingly, SLE1 (Cliff) = 100,000 * 1 = 100,000 while SLE2 (Valley) = 100,000 * 0.5 = 50,000.
• The overall risk associated with construction of the building with respect to occurrence of earthquakes, is obtained by multiplying the "impact" (SLE) and the "likelihood" (ARO). The risk is also known as the "Annual Loss Expectancy (ALE)".

RISK = IMPACT * LIKELIHOOD

ALE = SLE * ARO

• Continuing the above mentioned examples, if the ARO in both the cases would be 0.1 (1 earthquake occurs every 10 years), but the Risk (aka ALE) would be higher for location 1 (on the cliff) = 100,000 * 0.1 = 10,000 vis-a-vis that for location 2 (in the valley) = 50,000 * 0.1 = 5,000.
• Let us assume, that the desired choice of the building owner is to get it constructed on the edge of a cliff in city A. The various options which can be presented to him/ her with respect to the calculated risk are as shown below:

The asset owner is thus presented with a 'decision table' (or decision matrix) to help in an informed decision making. You can try adding your own 'use cases' (Hypothetical scenarios) to the above table here to see how it makes a difference!

Do try making such tables for problems ranging from daily decision making to corporate decisions related to information security or for any other area of applicability whatsoever.

This article intends to provide a basic introduction to key terms of Threat, Vulnerability, Risk and terms related to calculation of Risk (ALE) viz. Impact (SLE) & Likelihood (ARO).