Saturday, May 19, 2018

Understanding Risk Assessment

Risk Assessment is a part of the Risk Management process. It is a method of identifying the vulnerabilities and threats and the impact in case the threat agent exploits the vulnerability to suggest security controls. There are a lot of Risk Assessment methodologies which are available such as NIST SP 800, FRAP, OCTAVE, Delphi etc. to assess the level of risk. 

In simple terms, risk assessment involves identifying weaknesses, threats and potential danger in case of exploitation and basis this you will recommend certain countermeasures.

Sounds Simple? It’s practically the most challenging, time consuming and difficult work in the entire risk management process. Let’s understand what makes this simple straightforward process so difficult to execute. You are a security professional and the CEO calls you to do the security assessment of the site at New Delhi. If you start doing the risk assessment in this case, I assure you that you will end up pulling your hair in the end. Why so? You will realize the answer to this question if you answer the following questions:

1. What is the scope of your risk assessment? 
2. Does it involve only the physical assets of the building? 
3. Do you need to consider all the functions operating out of the building?
4. Do you need to involve the third party vendors under this assessment?
5. Would you include the intangible assets in this assessment?
6. What is the time limit for this assessment?
7. Are there any budgetary constraints for this assessment?
8. What methodology would you choose for the asset valuation? Will you include to be scrapped assets?

Unfortunately, a lot of security professionals and businesses do not identify the answer to these questions before beginning with the risk assessment.  

The most important criteria for any risk assessment is the buy-in from the top management. This buy-in must include the time limit and budget for the risk assessment activity. In some cases, the scope of this assessment may be defined by the top management or the middle management level. If the scope, time and budget are finalized, half of the problem is solved. 

 Let’s talk about the other half. Risk Assessment involves the following 4 steps:

1. Identify the assets and their valuations.
2. Identify the vulnerabilities and threats associated with them.
3. Quantify the probability and business impact of these potential threats.
4. Recommend countermeasures with a balance b/w cost and benefit.

Clearly, you will find that it is really simple to complete these steps. Yes, it is. However, there is a catch. Well, there is always a catch in the security role. Let’s understand this step by step.

1. As a security professional, you may be an expert in security, but you will not be able to understand all the risk a department faces. This issue can be resolved by working with the cross-functional team. Since each organization has different departments, and each department has its own functionality, resources, tasks, hence for or the most effective risk analysis, an organization must build a risk analysis team that includes individuals from many or all departments to ensure that all of the threats are identified and addressed. Hence, there is a lot of dependency amongst this team to work together to do this assessment.

2. Asset identification – Tangible or Intangible or Both – This needs to be finalized in the early stages itself. 

3. Asset Valuation – It is important to ask questions during this phase. There are many costs that are associated with a particular asset which is not limited to the market cost of the asset. The value placed on information is relative to the parties involved, what work was required to develop it, how much it costs to maintain, what damage would result if it were lost or destroyed, what enemies would pay for it, and what liability penalties could be endured. If this activity is not done in a proper manner, it would create an issue when countermeasures are to be deployed. An organization working on advance defense projects would deploy different countermeasures for its servers that an ice cream vending machine remotely controlled by a server.

If all such steps are done, you have completed the risk assessment. Now you can present the report to the CEO which asked you to do the risk assessment. Wait, the CEO has a different report from another professional who was asked to conduct such an assessment. The results are as different as day and night. This is a common issue which comes up when a standard methodology is not followed for risk assessment.

Let’s explore the risk assessment methodologies in the next article. 

What are your thoughts on risk assessment? Which of the following steps do you find the most difficult? Share your thoughts in the comments below.

No comments: