What is a risk scenario and how to define it
Rassoul Ghaznavi Zadeh
Information Security Executive | Strategic Thinker | Leader and Mentor | CCISO, CISM, CISSP, CRISC, SABSA, ISO 27001, ISO 27701, CEH, OPEN FAIR, TOGAF, COBIT
COBIT 5 risk scenarios is still one of my favorite ways to identify security risks. Using COBIT risk scenario examples as a reference and having the below components identified helps to define a meaningful and complete risk scenario, and that will help with identifying relevant controls.
Who is the Threat Actor? Internal staff, 3rd party, competitor, etc.
What is the Threat Type? Malicious, error, accident, etc.
What is the Threat Event? Disclosure, interruption, theft, misuse, etc.
Which Assets is at risk? People, process, systems, applications, network, etc.
What Vulnerabilities are on that asset that can be exploited by the threat?
What is the expected event Time? Occurrence, duration, frequency, etc.
I see quite often that people get vulnerabilities or threats confused with risks. Risk is only valid when there is both vulnerability and threat are present for a particular asset. For example, “a php vulnerability on a web application” is not the risk, neither something like a “sensitive data breach”. Instead, an example of a risk scenario can be:
“Cyber criminals are able to use the php vulnerability on the external facing ecommerce web application to download large amount of personal credit card data, once in a year.”
There is also a very good example on FAIR Institute website about the bald tire risk scenario (https://www.fairinstitute.org/white-papers-bald-tire). That explains what we mentioned above in more details. Picture in your mind a bald car tire. Imagine that it’s so bald you can hardly tell that it ever had tread. How much risk is there?
Next, imagine that the bald tire is tied to a rope hanging from a tree branch. How much risk is there?
Next, imagine that the rope is frayed about halfway through, just below where it’s tied to the tree branch. How much risk is there?
Finally, imagine that the tire swing is suspended over an 80-foot cliff – with sharp rocks below. How much risk is there?
Now, identify the following components within the scenario. What were the threats; the vulnerabilities; the risks?
27001 rocks
3 年5W+1H... - In german we have 6W so its a bit more easier ;-)
Creative & Out of the Box Thinker | Turning Ordinary into Extraordinary | Learner for Life
3 年Risk is only valid when there is both vulnerability and threat present for a particular asset. So true Rassoul even if one of the other components is missing, it won't qualify as a Risk