In this installment of the Risk Management Guide, contributor Shon Harris explains what risk is and clarifies the differences between risk and vulnerability management.
Companies have always had to deal with different types of risk, be it financial, legal, the success of a new product launch or a merger, or the threat of natural disasters. These risks are traditionally treated as silos. The CFO is responsible for understanding and making decisions pertaining to financial risk. The IT department is responsible for the risk of losing data processing capabilities. Legal council is responsible for understanding and managing the company's legal issues. And so on. But this fragmented approach to risk is becoming more dangerous as companies face risks that threaten the company's overall existence. These risks come in the form of noncompliance with government regulations, increasing information security threats, terrorist activities and natural disasters. It is important now more than ever, for companies to develop and maintain a holistic risk management program that coordinates these silos because they all have the same overall goal – to protect the company and its assets.
Although many people in the information security industry use the word "risk," few have a true understanding of its definition and how it relates to the business world. Technically speaking, risk is the probability of a threat agent exploiting a vulnerability and the resulting business impact. For example, an open port could be a vulnerability and the corresponding threat agent could be a hacker who gets through that port and causes damage or loss, such as accessing customer credit card information in a backend database. Calculating the risk of this scenario requires understanding the possibility and probability of this taking place, but even more important, the to cost the company. Cost does not always have a straight forward quantitative value, which is what makes risk management a difficult task. Cost can come in the form of lost data, discredited reputation, loss of potential and unrealized customer revenue, loss of market share and more. These are qualitative and intangible components that make the calculation of risk much more difficult.
The misunderstanding of the term "risk" can be clearly seen in some of today's security product lines. There are many vendors that refer to their products as "risk management tools," when in fact they are vulnerability management tools. Identifying a vulnerability is usually simple. A vulnerability can be untrained workers, a misconfigured firewall, a facility in a flood zone, lack of security guards, an uninformed management staff, an open port or an unpatched system. The list of vulnerabilities that a company faces is practically infinite. Most vulnerability management tools today are high powered scanners that look for open ports, unpatched systems, default user accounts, etc. As "risk management tools," these products stop short.
For risk management to be carried out properly, a company must understand all of its vulnerabilities and match them to specific threats. (Some vulnerabilities do not have corresponding threat agents that can exploit them, so we don't need to worry about them as much.) The steps are:
- Identify the vulnerabilities
- Map the vulnerabilities to their corresponding threat agents
- Calculate the probability of each vulnerability being exploited
- Calculate the actual business impact that would result from such a compromise
The crux of risk management is that a company has an infinite amount of vulnerabilities, but finite amount of money available to deal with them. So the vulnerabilities that can cause the company the most harm must be dealt with first. Risk management is a science and an art that ensures that a company takes on only as much risk as it can handle and no more. This balance is much more difficult to achieve than most people are aware of.
In the following article I discuss risk management at the 10,000 foot level. In each remaining article I will dig deeper into each component and explain different risk management approaches, models and methodologies. The skill to the art of risk management is to know which approach is best for specific situations. From here I plan to then dig deep into how organizational security programs should be set up, implemented and maintained. Before a solid security program can be successfully erected, one must understand the underlining risk the company faces – because the main reason for a security program to even exist is to maintain the company's risk level.
RISK MANAGEMENT GUIDE
Introduction: Understanding risk
An overview of the risk management process
How to define an acceptable level of risk
How to write an information risk management policy
How to implement an effective risk management team
Information risk management: Defining the scope, methodology and tools
How to conduct a risk analysis
How to deal with risk
About the author:
Shon Harris is a CISSP, MCSE and President of Logical Security, a firm specializing in security educational and training tools. Shon is a former engineer in the Air Force's Information Warfare unit, a security consultant and an author. She has authored two best selling CISSP books, including CISSP All-in-One Exam Guide, and was a contributing author to the book Hacker's Challenge. Shon is also the co-author of Gray Hat Hacking: The Ethical Hacker's Handbook.