Information Security & Risk Analysis: A Structure, Systematic Approach to Vulnerability Assessments and Operational Resilience
Ridley Tony
Experienced Leader in Risk, Security, Resilience, Safety, and Management Sciences | PhD Candidate, Researcher and Scholar
Security threat(s) and resulting risk analysis are contextual to the organisation, specific business technologies, operational nuance(s) and commercial/strategic objectives of the entity.
This includes information, which remains a physical and digital threat vector for government, commercial and corporate entities.
Remarkably (read: concerningly), far too many risk statements and evaluations are made in the name of security (or risk management, for that matter), begin at the end (risk analysis), disconnected and isolated from the specifics of the organisation, operations, technology and threat environment or context. This is most conspicuous with revisions, updates and scheduled reviews.
That is, 'risk' statements, scales and views are updated, but these views are blind to or exclude the current state of how things are done, technologies, relationships, external factors and threat tactics and capabilities.
This is where security and risk management as art forms and scientific approaches are most apparent and distinct.
In other words, one is a systematic, repeatable and scalable approach, the other is random, ad-hoc and opaque, conducted in the absence of schema, structure, evidence and traceable choices/trade offs.
Simple models such as the Operationally Critical Threat, Asset and Vulnerability (OCTAVE) seek to ameliorate the lesser, artistic approaches.
Far from comprehensive, the format guides businesses, practitioners, auditors and reviewers at all levels.
In short, show me what you did at each stage and where is the evidence, calculations and supporting knowledge?
The answer will provide either provisional confidence and assurance or many sleepless nights (nightmares!)
Despite information and resulting 'data' remaining considerable, valuable assets and the focus/objective of many threat/bad actors, information security and risk management approaches present as inconsistent and inadequately understood by business leaders, boards and stakeholders. That is, the approach to information security management should be the informed process or product of a clear, consistent and scalable risk management methodology understood by practitioners and business units alike.
In sum, security risk management seeks to assign limited resources resulting in maxim affordable protection to the most valuable, exploitable and vulnerable asset(s). This includes information.
As a result, structured, repeatable, scaleable and risk-informed practices are preferred over idiosyncratic, artisan and unsubstantiated security and/or risk beliefs.
The Operationally Critical Threat, Asset and Vulnerability Evaluation (OCTAVE) is one such approach. Moreover, scales of evidence, completeness and efficacy are definable and measurable for even the smallest of business operations or entities.
Thus, providing greater utility for non-experts and multi hated business owners, managers and representative.
In short, this model may start on the 'back of an envelope' and grow into something much more complex and detailed over time.
However, no evidence, knowledge or confidence in any one of these steps, prevents hasty and unsubstantiated assertions around safe, secure, resilient, robust or other highly variable assertions of protected. The reference can also be used by auditors, committees and objective reviews.
Alarmingly, in this context, most real world practices inadequately or out right fail, to fully consider and understand phase one. What is the specific, contextual and current organisational view? How has it changed from the last review?
I always start there, as should you. However, I still find it the most 'empty' bucket of this three step process.
Security, Risk, Resilience, Safety & Management Sciences
Reference:
Software Engineering Institute (2007) Introducing OCTAVE Allegro: Improving the Information Security Risk Assessment Process. Carnegie Mellon, p.3