At NuHarbor, our Security Advisory experts specialize in risk assessment and consciously think about risk every day. Sometimes this is good, like when a friend extends the invite to go cliff jumping or skydiving in Mexico. Other times, not so much. For example, investing three hours of Yelp research to pick a Thai place for takeout.
While this type of thinking has its pros and cons, at the end of the day every conscious or subconscious action we take involves some level of risk. You may be thinking that when it comes to risk, ignorance is bliss (e.g., college). In today’s ever-changing and interconnected world, however, being ignorant to risk is unrealistic. With an infinite number of decisions to make in our lives, how do we make sense of it all? How can we think about risk logically, rather than as one complex term so overwhelming that we choose to ignore it?
Fortunately, with daily decisions it’s easy to calculate an expected outcome by multiplying the worst thing that could happen (e.g., fatally jumping off a cliff) by an estimated probability of, let’s say, one in 10. The answer suggests not to pursue such risky behavior. The same logic could be applied to a decision to order Thai food instead of cooking a meal. Let’s assume the average diner enjoys nine out of every 10 Thai restaurants they try. If they regularly spend $20 on Thai food, the expected loss (i.e., money spent on unsatisfying food) is $18 (9/10 x 20). This exercise could be considered somewhat risky, but most would agree that it’s not worth investing three hours of time to address. This type of subconscious thinking is constant.
This example is like any of hundreds we make in our personal lives, balancing our wants, interests, fears, and logic. As we think about risk assessment, it’s helpful to think of this balance.
Since we’re clearly managing risk in our everyday lives, how can we just ignore it when we get to work? The answer is: we can’t. Our challenge is to translate the way we process generic daily risk into something we can apply in our professional lives. The answer lies in the terms called out by NIST (the National Institute of Standards and Technology) as they describe risk in four terms that are clear, non-technical, and easy to understand:
Think of these factors as ingredients for a classic favorite: the peanut butter and jelly sandwich. The sandwich (risk) is a function of its components: peanut butter (threats), jelly (vulnerabilities), and two pieces of bread (impact and likelihood). To think critically about risk, you must analyze the role of each ingredient, and its relationship with the others to create the whole sandwich.
Risk Assessment Elements Defined
NIST provides the following basic definitions that will ensure consistent understanding and communication with others:
“Any circumstance or event with the potential to adversely impact organizational operations (including mission, functions, image, or reputation), organizational assets, individuals, other organizations, or the Nation through an information system via unauthorized access, destruction, disclosure, or modification of information, and/or denial of service.”
That’s a mouthful, so let’s shorten it to, “An entity (person, place, group, thing, etc.) with the potential to cause harm.” Potential threats are essentially limitless.
“Weakness in an information system, system security procedures, internal controls, or implementation that could be exploited or triggered by a threat.”
This definition is a bit easier to digest. Plainly, vulnerabilities are weaknesses. Back to the skydiving example, there are boundless potential weaknesses involved, from aircraft problems to parachute functionality to speaking zero Spanish but jumping from a plane in rural Mexico.
“A weighted factor based on a subjective analysis of the probability that a given threat is capable of exploiting a given vulnerability or a set of vulnerabilities.”
Likelihood is the most intuitive of these definitions but can still be a challenge because it’s difficult to estimate. With skydiving, we could research statistics on injuries or number of deaths – but will that effectively educate us on the likelihood of injury? Has the experience level of the skydiving company been considered? The weather? Or thousands of other variables? Whether making important life decisions or performing a risk assessment, likelihood ultimately boils down to a subjective measure utilizing available evidence, experience, and judgment.
“The magnitude of harm that can be expected to result from the consequences of unauthorized disclosure of information, unauthorized modification of information, unauthorized destruction of information, or loss of information or information system availability.”
To simplify, let’s say this: “Impact is the harm that results when a threat uses, triggers, or exploits a vulnerability”. Still want to go skydiving? This is the stage where you consider the potential impact of an activity (e.g., breaking your legs, permanent emotional distress, death, dismemberment, etc.).
Not specifically considered by these definitions is the influence of different environments. The same application – or threat, or vulnerability – will pose very different risks depending on the use case. Are you a public sector organization serving millions of taxpayers or thousands of students? The impact of a critical vulnerability will be very different for you than for a private sector organization operating with very different costs, liabilities, and public awareness. Similarly, within your own organization, the same vulnerability or threat will have a very different impact depending on where the weakness exists.
Think about the first four criteria as being more than static measures. Any time one of them changes because of the context of the exposure, particularly likelihood or impact, it’s important to create a new assessment of risk to the new environment.
Security Risk Assessment
Now that we understand threat, vulnerability, impact, and context, we have the fundamental elements we need to conduct a risk assessment. Here’s a step-by-step summary:
Identify events that could be produced by those threats.
Identify vulnerabilities (i.e., potential for exploitation).
Determine the likelihood that identified threat sources could successfully initiate threat events.
Determine the impact of the events.
Use a scale to score the risk. Example could be 1-5 or low to high.
Risk Decisions and Residual Risk
Ultimately, the goal of a risk assessment is not only to identify risk, but to make smart decisions to address it. This is typically done through the application of controls. Unfortunately reviewing controls in detail has a reputation of being a tedious task that create more work. But the beauty of a risk assessment is that it forces controls to be more logical; after all, if the identified risks aren’t addressed, what is the point of doing a risk assessment? Hint: we’re probably applying the wrong control(s).
Instead of yelling at our friend from the death spiral, perhaps we should have done a risk assessment: identified the threat (skydiving), vulnerability (shoddy plane/skydiving equipment), and potential impact (going splat). This could have led to proactive implementation of better controls, like completing vendor background checks and requesting references, safety history, and a copy of their professional liability policy. Alternatively, the risk could be avoided altogether by refusing the skydiving invitation from the start. In either scenario, risk assessment is the magic sauce that enables informed and rational decisions that deliver real business value.
To learn more about NuHarbor’s risk assessment services, visit our services page. If you have never done a risk assessment, feel like the assessments you’ve completed are lacking, or just like chatting about risk and controls, complete the form below and one of our experts will be in touch!