Explaining the risk management process

Mark T. Edmead

As an information security consultant, my clients ask me to make a determination as to how the integration of new technology will affect the security within their organizations. For instance, perhaps an organization would like to use a wireless LAN or allow their employees to use an instant messaging product. Using these technologies might increase productivity or provide a much-needed business advantage. But before allowing a new piece of technology into your organization, you need to ask yourself the following questions:

• Does the introduction of these technologies make my systems more vulnerable?
• What are the risks associated with using these technologies?
• Are the benefits offered by these technologies greater than the risks they represent?

Adding new technology without determining the impact on the organization could be a potential security suicide. This is where the concepts of risk management (and risk analysis) come in.

In information security, risk is defined by the following equation: Risk = Threat x Vulnerability. A vulnerability is a weakness, and the threat can be categorized as the actual exploit of this vulnerability. The formula states that the threat times the vulnerability equals the risk. Notice that because the variables are multiplied, if the threat or the vulnerability value approaches zero, the risk also approaches zero (i.e. eliminating either the threat or the vulnerability reduces the risk to zero). In some instances you also may include a variable for the value of the asset (Risk = Threat x Vulnerability x Asset value). This means that as the value of the asset approaches zero, the risk variable also approaches zero. There's a lot more to this than just looking at the threats and the vulnerabilities. There are several questions that need to be answered to get an accurate picture of the situation. These questions include the following:

1. What exactly is the threat?
2. If the threat were realized, what's the impact?
3. At what frequency could this threat occur?
4. How sure are you of the answers above?

Let's assume your company is building a new data center, and your job is to perform a risk analysis of the data center location. So, if we were to answer the above questions, the answers may look something like this:

1. What exactly is the threat (to the data center)?
   Perhaps it's a natural disaster-related damage threat (earthquake, hurricane, tornado, flooding).
2. What would be the impact of the threat?
   The impact could be anything from the systems being down for a few hours to total destruction of the data center.
3. What's the threat frequency?
   In Florida, hurricanes seem to occur almost on a yearly basis. In the Midwest, the likelihood of a tornado is higher than on the West Coast. It stands to reason that a data center built on an earthquake fault in California is not ideal. While the frequency of an earthquake is perhaps one every 10 years, all you need is one good earthquake to destroy the data center.

There's a certain level of risk associated with any computer system, operating system or application. The question is, what's an acceptable level of risk? Take, for instance, the fact that driving on the freeway is a risky endeavor. If we were really concerned about the risk of getting into a car accident, we would have three choices:

1. Accept the risk as it is -- That means you're willing to accept the consequences of driving your car.
2. Reduce the risk -- That means reducing it to an acceptable level. While it's possible to eliminate the risk completely, this is normally not an easy task (or if you do, you will be giving up a lot for it).
3. Transfer the risk -- This could be like getting insurance; in case something does happen, you're financially covered.

Risk management involves being able to understand the impact of the risk. One method used is called "quantitative" risk analysis. That method assigns actual "values" to the risk, most commonly in terms of money. For example, in quantitative analysis you would say, "The replacement cost for this server if it were destroyed is $5,000."

On the other hand, "qualitative" analysis uses a more "subjective" approach. Typically risks are categorized as high, medium and low. This approach is much easier to calculate, but the results are more subjective (meaning that what's a high risk to you might not be a high risk to someone else). In many cases, you'll use a combination of both methods -- keeping in mind that sometimes management wants to see the risk in terms of dollar amounts. (Doesn't management always seems to ask, "How much will it cost to replace it?")

Risk management is an ongoing process when working with information technology. As new products are introduced into your business, you should make sure you determine what the potential security risks are. And if there are risks, that you're willing to accept them, to do what can you do to reduce them or to transfer the risk to someone else.