IT Risk Management- What is it about?

Whenever we hear about the term Information Security, the first thing comes up is the term IT RISK. When I started learning about Risk Management, the thing happened with me was I got through different terminologies. Here, I’ll try to share what I understood while learning about RISK in very simple terms.

Before we directly reach to the ‘R‘ term, we would first connect our dots with few of the following terminologies which would help us understand ‘R’ in a better way-

• Assets: Anything which provides benefits to organization, it could be anyone/anything of importance. Example: An employee, a server, etc.
• Vulnerabilities: This seems to be a tough term right but its not, its means the weakness that allows an asset to be exploited. Example: An unlocked open server room.
• Threats: This term is actually a threat to people who hear it for the first time, so just to simplify it’s an action that exploits a vulnerability’s potential to harm an asset. Example: Stealing a server from server room using the open unlocked door. Threat Agent: The one who does everything which means a person initiating a threat.

Let’s define the ‘R’ term that is RISK– In simple words risk is nothing but a possibility of something bad happening. You might be wondering why I got you through so many terms if RISK is that simpler, its because when we talk in terms of information security the RISK completes its definition using the above terms.

Information Security Risk is the probability of a threat agent successfully exploiting a vulnerability in an asset through threat actions. The formula which defines it is:

Threats x Vulnerability = Risk

Risk Management, a process used for prioritization of threats against assets and most importantly determining what to do about it. Risk Management can be centric to whole of the organization or can be for single project or department as well.

Risk Treatments

• Avoid risk: If the activity has a high likelihood of occurring, and it will also cause significant financial harm, it’s better to avoid it entirely. When regulations and rules apply to your industry, one significant risk is breaking the law. Avoiding this risk has an easy answer: don’t break the law. By following the guidelines regulators establish, you avoid the risk of fines, penalties, and defense costs.
• Reduce or Mitigate risk: Reducing risk means understanding the activities with a high likelihood of occurring but with a manageable financial impact. Its like placing security controls proactively in place before undertaking the risk.
• Transfer risk:If a financially devastating activity could potentially occur, the best option is to share the risk. Handling it alone could result in significant setbacks, if not a shuttered business. Instead of keeping fingers crossed, a better approach is to invest in insurance.
• Accept Risk: It’s not always that businesses can avoid, reduce, or transfer risk. Sometimes, you must buckle down and accept it. If accepting the risk is more profitable than any other option, then it’s the optimal strategy.

Now, as we have looked in the treatment and know what Risk Management is about, let’s dive into Types of Risk Analysis:

Quantitative Risk Analysis

Quantitative analysis is about assigning monetary values to risk components. The key variables and equations used for conducting a quantitative risk analysis are shown below.

• Exposure Factor (EF): Percentage of asset loss caused by identified threat. It ranges from 0% to 100%.
• Single Loss Expectancy (SLE): Asset Value ? Exposure factor.
• Annualized Rate of Occurrence (ARO): Estimated frequency a threat will occur within a year and is characterized on an annual basis. A threat occurring one time every 10 years has an ARO of 0.1. A threat occurring 10 times in a year has an ARO of 10.
• Annualized Loss Expectancy (ALE): Single Loss Expectancy ? Annualized Rate of Occurrence.

The concept can be summarized by analyzing the example of a stolen corporate laptop to understand better how it works. Let’s first describe the threat, vulnerability and risk:

Threat: Stolen corporate laptop Vulnerability: Backup rarely performed Risk: Loss of data

Data is the asset. We assess the value of the asset (AV) first: $100,000.

Next, let’s address the single loss expectancy (SLE). It contains information about the potential loss when a threat occurs. SLE = AV ? EF, where EF is exposure factor. Exposure factor describes the loss that will happen to the asset because of the threat. SLE is $30,000 in our example when EF is estimated to be 0.3.

Let’s continue this case. The annualized rate of occurrence (ARO) is described as an estimated frequency of the threat occurring in one year. ARO is used to calculate ALE (annualized loss expectancy). ALE is calculated as follows: ALE = SLE ? ARO. ALE is $15,000 ($30,000 ? 0.5), when ARO is estimated to be 0.5 (once in two years).

Qualitative Risk Analysis

This is based on subjective opinions:

We can make use of graphs, risk heat map to showcase the severity in terms of Low, High, Medium and Critical. The parameters to be defined are totally based upon an individual or the organization.

Risk Heat Map: Taking risk severity levels and map visually by colors. Risk Matrix: Table of risk details, similar to a heat map but without colors.

Thanks for giving it a read.