By: Kristof Holm
As an IT security professional, specializing in risk assessment, I often consciously think about risk in everyday life, sometimes this is good like when a friend asks whether I’d like to go cliff jumping or sky-diving in Mexico. Other times not so much… (see investing 3 hours of yelp research to find which Thai place to choose for takeout!).
While this type of thinking clearly has its pros and cons, at the end of the day whether we’re consciously considering it or not, every action we take involves some level of risk. Now you may be thinking, when it comes to risk, ignorance is bliss (think back to your college years). Unfortunately, in today’s ever developing and interconnected world, being ignorant to risk is no longer a realistic option. With a nearly infinite number of decisions to be made in our lives, how do we make sense of it all? How can we think about risk logically, not as one amalgamated term so overwhelming we choose to ignore it?
Fortunately, in everyday decisions it’s easy to quickly calculate an expected outcome by multiplying the worst thing that could happen (i.e. dying jumping off the cliff, by an estimated probability, let’s say 1 in 10). This tells me I probably don’t want to pursue such risky behavior. The same could be applied to my decision to order Thai food instead of cooking a meal. Let’s say based on past experiences I’ve enjoyed one out of every ten Thai restaurants I’ve tried,.If I’m spending $20 on Thai food, my expected loss (money spent on food I don’t like) is $18 (9/10 x 20). This could be considered somewhat risky, but most everyone would agree that it’s clearly not worth investing 3 hours of time to address. This type of thinking is constantly happening sub-consciously.
If we can’t ignore risk in everyday life, why do ignore it in the workplace? The obvious answer is we can’t, so how can we translate the way we process generic everyday risks into something we can use in our professional lives? Now hopefully I don’t lose you here, but I’d argue that the answer lies in NIST Special publication 800-30. NIST 800-30 divides risk into four main risk factors, Threats, Vulnerabilities, Likelihoods, and Impacts. Without getting too poetic I like to think of these as ingredients, for example the sandwich (Risk) is a function of the components, Peanut butter (Threats), Jelly (Vulnerabilities), and bread (Impact). To think about risk critically you need to analyze the role of each ingredient, and their relationship with each other, as it relates to the sandwich as a whole.
Risk Assessment Definitions:
Let’s look at some risk assessment definitions to make sure we’re all on the same page. NIST 800-30 provides the following definitions for threats, vulnerabilities, and impacts:
“Any circumstance or event with the potential to adversely impact organizational operations (including mission, functions, image, or reputation), organizational assets, individuals, other organizations, or the Nation through an information system via unauthorized access, destruction, disclosure, or modification of information, and/or denial of service.”
That’s a mouthful so I like to shorten it to “An entity (person, place, group, thing, etc.) with the potential to cause harm.” This is where the limits to what a potential threat could be become almost limitless.
“Weakness in an information system, system security procedures, internal controls, or implementation that could be exploited or triggered by a threat.”
This definition is a little easier to digest, vulnerabilities essentially are weaknesses. Sticking with the skydiving example, there are boundless potential weaknesses, from problems with the airplane to the parachute to not speaking Spanish and deciding to go skydiving in a foreign country!
“A weighted factor based on a subjective analysis of the probability that a given threat is capable of exploiting a given vulnerability or a set of vulnerabilities.”
Likelihood is probably the most intuitive of these definitions but still can be a challenge because of its difficulty to estimate. With skydiving I could research statistics on injuries or number of deaths, but will that necessarily tell me how likely I am to be injured? Have I considered the experience level of the company I’m skydiving with, the weather, or thousands of other variables? Ultimately whether making important life decisions or doing a risk assessment, likelihood boils down to a subjective measure utilizing available evidence, experience, and judgment.
“The magnitude of harm that can be expected to result from the consequences of unauthorized disclosure of information, unauthorized modification of information, unauthorized destruction of information, or loss of information or information system availability.”
For shorthand we can say “An impact is the harm that results when a threat uses, triggers, or exploits a vulnerability”. So still thinking of going skydiving? This is where you would consider the potential impacts (i.e. breaking your legs, permanent emotional distress, death, etc.)
Security Risk Assessment
Now that we understand threats, vulnerabilities, and impacts, we have the fundamental pieces to conduct a risk assessment. These steps can be summarized as:
- Identify threats
- Identify threat events that could be produced by those threats
- Identify vulnerabilities (potential for exploitation)
- Determine the likelihood identified threat sources could initiate threat events (successfully)
- Determine the impact of the threat events
- Factor one through five to estimate risk
Risk Decisions and Residual Risk
Ultimately the goal of a risk assessment is not only to identify risk, but to make smart decisions in addressing it. This is typically done through the application of controls. Now I know many people don’t like the C word, as they have a reputation as tedious tasks that cause more work, but that is the beauty of a risk assessment! Risk assessments force controls to be more logical, after-all if they don’t address any of the risks we identified in the assessment, why are we doing them? (hint: we’re probably doing the wrong control).
Instead of yelling at my friend as I fall to my death, maybe I should have done a risk assessment, identified the threat (skydiving), vulnerability (shoddy planes/skydiving equipment), and potential impact (going splat). This could have led to proactive implementation of better controls such as completing background checks, references, safety history, and a copy of their professional liability policy. Alternatively, I could avoid the risk altogether by refusing to go sky diving in the first place. In either scenario the risk assessment is the magic sauce that allows for risk informed and rational decisions, delivering real business value.
For additional detail on the risk assessment process, see NIST 800-30 Rev 1 Guide for Conducting Risk Assessments: https://csrc.nist.gov/publications/detail/sp/800-30/rev-1/final
For additional detail on our risk assessment services, see our services page: https://nuharborsecurity.com/risk-management-assessments/
If you’ve never done a risk assessment, feel like the risk assessments you’ve done aren’t as comprehensive or effective as you’d like, or just like chatting about risk and controls feel free to reach out!