Risk
Risk is a big topic and the post will therefore be a lot of reading. This post will not provide a full coverage of the topic of risk, but a condensation on how the risk perspective can be applied in the Tactical Security work.
In simple terms,?risk?is the possibility of something bad happening
Risk involves?uncertainty?about the effects/implications of an activity with respect to something that humans value (such as health, well-being, wealth, property or the environment), often focusing on negative, undesirable consequences.
There are several steps that organizations and individuals can take to handle security risks:
There are a lot of information on how to manage and handle risk. This is a just an overview
?ISO Guide 73:2009 defines risk as:
effect of uncertainty on objectives
Risk can be an effect is a deviation from the expected – positive or negative.
The Risk objectives can have different aspects (such as financial, health and safety, and environmental goals) and can apply at different levels (such as strategic, organization-wide, project, product and process).
Risk is often characterized by reference to potential events and consequences or a combination of these.
Risk is often expressed in terms of a combination of the consequences of an event (including changes in circumstances) and the associated likelihood of occurrence.
Uncertainty is the state, even partial, of deficiency of information related to, understanding or knowledge of, an event, its consequence, or likelihood.
On the topic of uncertainty, this describes how to handle uncertainty:
If we divide the risk in to specific areas, it is easier to evaluate what risk we have and what impact they will have:
Business risk:
Business risks arise from uncertainty about the profit of a commercial business due to unwanted events such as changes in tastes, changing preferences of consumers, strikes, increased competition, changes in government policy, obsolescence etc.
Business risks are controlled using techniques of?Risk Management. In many cases they may be managed by intuitive steps to prevent or mitigate risks, by following regulations or standards of good practice, or by Insurance.?Enterprise risk management?includes the methods and processes used by organizations to manage risks and seize opportunities related to the achievement of their objectives.
The Business risk, in context of information and IT security, is that the systems that are supporting the business are either not providing Confidentiality, Integrity or Availability (CIA Triade)
Economic risk:
Economics is concerned with the production, distribution and consumption of goods and services. Economic risk arises from uncertainty about economic outcomes. For example, economic risk may be the chance that macroeconomic conditions like exchange rates, government regulation, or political stability will affect an investment or a company’s prospects. In economics, as in finance, risk is often defined as quantifiable uncertainty about gains and losses.
The Economic risk, in context of information and IT security, is that the systems that are not providing the solutions to enable an investment or a company’s prospects.
Health, safety, and environment risks
Health, safety, and environment (HSE) are separate practice areas; however, they are often linked. The reason is typically to do with organizational management structures; however, there are strong links among these disciplines. One of the strongest links is that a single risk event may have impacts in all three areas, albeit over differing timescales. For example, the uncontrolled release of radiation or a toxic chemical may have immediate short-term safety consequences, more protracted health impacts, and much longer-term environmental impacts.
These risks are often correlated with Operational Technology and/or Medical Technology, where IT systems are Collecting Controlling machines for industrial usage or medical usage
Environmental risk
Environmental risk arises from?environmental hazards or Environmental issues.
In the environmental context, risk is defined as “The chance of harmful effects to human health or to ecological systems”
Environmental risk assessment aims to assess the effects of stressors, often chemicals, on the local environment.
The Environmental risk, in context of information and IT security, is that the systems that are providing Industrial Control systems are not working properly and therefore can cause environmental damage. These are often referred to as SCADA systems or OT system.
Security risk
Security is freedom from, or resilience against, potential harm caused by others.
A security risk is "any event that could result in the compromise of organizational assets i.e. the unauthorized use, loss, damage, disclosure or modification of organizational assets for the profit, personal interest or political interests of individuals, groups or other entities."
Security risk management involves protection of assets from harm caused by deliberate acts.
Information technology risk
Information Technology?(IT) is the use of computers to store, retrieve, transmit, and manipulate data. IT risk?(or cyber risk) arises from the potential that a?threat?may exploit a vulnerability?to breach security and cause harm.?IT risk management?applies risk management methods to IT to manage IT risks.?Computer security?is the protection of IT systems by managing IT risks.
Information Security?is the practice of protecting information by mitigating information risks. While IT risk is narrowly focused on computer security, information risks extend to other forms of information (paper, microfilm).
Safety risk
?Safety should be separated from Security as Safety?is concerned with a variety of?hazards ?that may result in accidents?causing harm to people, property and the environment. In the safety field, risk is typically defined as the “likelihood and severity of hazardous events”.
A?High reliability organization?(HRO) involves complex operations in environments where catastrophic accidents could occur. Examples include aircraft carriers, air traffic control, aerospace and nuclear power stations. Some HROs manage risk in a highly quantified way. The technique is usually referred to as?Probabilistic Risk Assessment (PRA).
Risk management
Risk is ubiquitous in all areas of life and we all manage these risks, consciously or intuitively, whether we are managing a large organization or simply crossing the road.
Risk management?refers to a systematic approach to managing risks, and sometimes to the profession that does this. A general definition is that risk management consists of “coordinated activities to direct and control an organization with regard to risk".
ISO 31000, the international standard for risk management,?describes a risk management process that consists of the following elements:
Communicating and consulting
Establishing the scope, context and criteria
Risk assessment?- recognizing and characterizing risks, and evaluating their significance to support decision-making. This includes risk identification, risk analysis and risk evaluation.
Risk treatment - selecting and implementing options for addressing risk.
Monitoring and reviewing
Recording and reporting
In general, the aim of risk management is to assist organizations in “setting strategy, achieving objectives and making informed decisions”.?The outcomes should be “scientifically sound, cost-effective, integrated actions that [treat] risks while taking into account social, cultural, ethical, political, and legal considerations”.
In contexts where risks are always harmful, risk management aims to “reduce or prevent risks”.?In the safety field it aims “to protect employees, the general public, the environment, and company assets, while avoiding business interruptions”.
For organizations whose definition of risk includes “upside” as well as “downside” risks, risk management is “as much about identifying opportunities as avoiding or mitigating losses”. It then involves “getting the right balance between innovation and change on the one hand, and avoidance of shocks and crises on the other”.
领英推荐
Risk assessment
Risk assessment is a systematic approach to recognizing and characterizing risks, and evaluating their significance, in order to support decisions about how to manage them.?ISO 31000 ?defines it in terms of its components as “the overall process of risk identification, risk analysis and risk evaluation”.
Risk assessment can be qualitative, semi-quantitative or quantitative:
Qualitative approaches are based on qualitative descriptions of risks and rely on judgement to evaluate their significance.
Semi-quantitative approaches use numerical rating scales to group the consequences and probabilities of events into bands such as “high”, “medium” and “low”. They may use a?risk matrix to evaluate the significance of particular combinations of probability and consequence.
Quantitative approaches, including Quantitative risk assessment (QRA) and?Probabilistic Risk Assessment?(PRA), estimate probabilities and consequences in appropriate units, combine them into risk metrics, and evaluate them using numerical risk criteria.
Risk identification
Risk identification is “the process of finding, recognizing and recording risks”. It “involves the identification of risk sources, events, their causes and their potential consequences.”
ISO 31000?describes it as the first step in a risk assessment process, preceding risk analysis and risk evaluation.?In safety contexts, where risk sources are known as hazards, this step is known as “hazard identification”.
There are many different methods for identifying risks, including:
Checklists or taxonomies based on past data or theoretical models.
Evidence-based methods, such as literature reviews and analysis of historical data.
Team-based methods that systematically consider possible deviations from normal operations, e.g.?HAZOP (Hazard and operability study),?FMEA (Failure mode and effects analysis)?and?SWIFT (Structured What If Technique).
Empirical methods, such as testing and modelling to identify what might happen under particular circumstances.
Techniques encouraging imaginative thinking about possibilities of the future, such as?scenario analysis.
Expert-elicitation methods such as?brainstorming, interviews and?audits.
Sometimes, risk identification methods are limited to finding and documenting risks that are to be analyzed and evaluated elsewhere. However, many risk identification methods also consider whether control measures are sufficient and recommend improvements. Hence they function as stand-alone qualitative risk assessment techniques.
Risk analysis
Risk analysis is about developing an understanding of the risk. ISO defines it as “the process to comprehend the nature of risk and to determine the level of risk”.?In the ISO 31000 risk assessment process, risk analysis follows risk identification and precedes risk evaluation. However, these distinctions are not always followed.
Risk analysis may include:
Determining the sources, causes and drivers of risk
Investigating the effectiveness of existing controls
Analyzing possible consequences and their likelihood
Understanding interactions and dependencies between risks
Determining measures of risk
Verifying and validating results
Uncertainty and sensitivity analysis
Risk analysis often uses data on the probabilities and consequences of previous events. Where there have been few such events, or in the context of systems that are not yet operational and therefore have no previous experience, various analytical methods may be used to estimate the probabilities and consequences:
Proxy or analogue data from other contexts, presumed to be similar in some aspects of risk.
Theoretical models, such as?Monte Carlo simulation?and?Quantitative risk assessment software.
Logical models, such as?Bayesian networks,?fault tree analysis?and?event tree analysis
Expert judgement, such as?absolute probability judgement?or the?Delphi method.
Good input for the Risk analysis from IT technical perspective is Microsoft Secure Score | Microsoft 365
Risk evaluation and risk criteria
Risk evaluation involves comparing estimated levels of risk against risk criteria to determine the significance of the risk and make decisions about risk treatment actions.
In most activities, risks can be reduced by adding further controls or other treatment options, but typically this increases cost or inconvenience. It is rarely possible to eliminate risks altogether without discontinuing the activity. Sometimes it is desirable to increase risks to secure valued benefits. Risk criteria are intended to guide decisions on these issues.
Types of criteria include:
Criteria that define the level of risk that can be accepted in pursuit of objectives, sometimes known as?risk appetite, and evaluated by risk/reward analysis. This is derived from the acceptable risks from the organization. Depending on what kind of service the organization is providing, the organization might have a bigger risk appetite if they have a short go to market strategy, as on the low risk appetite that is represented by public sector or military industry, where the risk appetite is low as it is more important to protect the Intellectual property
Criteria that determine whether further controls are needed, such as?benefit-cost ratio.
Criteria that decide between different risk management options, such as?multiple-criteria decision analysis.
The simplest framework for risk criteria is a single level which divides acceptable risks from those that need treatment. This gives attractively simple results but does not reflect the uncertainties involved both in estimating risks and in defining the criteria.
The tolerability of risk framework, developed by the UK?Health and Safety Executive, divides risks into three bands:
Unacceptable risks – only permitted in exceptional circumstances.
Tolerable risks – to be kept as low as reasonably practicable (ALARP), taking into account the costs and benefits of further risk reduction.
Broadly acceptable risks – not normally requiring further reduction.
Risk attitude, appetite and tolerance
The terms?risk attitude,?appetite, and?tolerance?are often used similarly to describe an organization's or individual's attitude towards risk-taking. One's attitude may be described as?risk-averse,?risk-neutral, or?risk-seeking. Risk tolerance looks at acceptable/unacceptable deviations from what is expected.?Risk appetite looks at how much risk one is willing to accept. There can still be deviations that are within a risk appetite. For example, recent research finds that insured individuals are significantly likely to divest from risky asset holdings in response to a decline in health, controlling for variables such as income, age, and out-of-pocket medical expenses.
Gambling is a risk-increasing investment, wherein money on hand is risked for a possible large return, but with the possibility of losing it all. Purchasing a lottery ticket is a very risky investment with a high chance of no return and a small chance of a very high return. In contrast, putting money in a bank at a defined rate of interest is a risk-averse action that gives a guaranteed return of a small gain and precludes other investments with possibly higher gain.
One good link on the risk perspective is the Kroll publication on the gap in the reality and perception in Cyber Security: Bridging the Gap Between Reality and Perception in Cyber Security (kroll.com)
Backlink
Forwardlink