Evaluate Weigh the pros and cons of technologies, products and projects you are considering.

How to write a risk methodology that blends business, security needs

One security professional describes a homegrown risk methodology currently being used by a large university and a private corporation.

PROTECTING INFORMATION ASSETS is the information security program's primary directive. But the industry's inadequate...

strategies are partly to blame for its failures to do so; the industry seems satisfied with its current game plan. We allow vendors and compliance to direct how we should protect assets without regard to analyzing what risks would be minimized by implementing the proposed technology. If we truly believe in protecting the confidentiality, integrity, and availability (CIA) of our information assets then we must think outside the box and take the time to analyze risk, and design security systems that can reduce residual risk.

Security breaches (more than 260 million records lost since ChoicePoint; more than 30 million in 2008) are happening despite substantial investment in perimeter security defenses and compliance. The current standards and compliance efforts used to help protect our information assets are disproportionately technical and do not adequately address the current threats and security risks. It is clear that spending additional money on technology is not the answer to the problem; nor is spending money on compliance or program development, without addressing root causes.

The risk process must be rooted in the principles of security and integrated into a security program that blends business needs, due care, current attack vectors as well as addressing the requirements of regulations and contractual requirements. Compliance with standards and regulations help to show due care, but should not be the driving force in a security program. It is not possible to address all of the threats and vulnerabilities. Instead of prescriptive controls, reduction of residual risk should be the driving force for the direction of development, assessment, and improvement of information security practices within the organization.

Organizations need to follow a risk methodology; we'll describe one here that was developed as part of a Ph.D. risk management course requirement at Nova Southeastern University. Risk research from James F. Broder, George L. Head and Stephen Horn, Elaine M. Hall, and Thomas Peltier was also reviewed as part of the risk methodology development.

Over the past two years, the risk methodology has been revised and implemented at a private corporation and the University of Washington (UW). The risk methodology is now fully integrated in the UW's information security program. The risk methodology was recently presented to the UW's President's Advisory Committee on Enterprise Risk Management (PACERM) as a successful example of integrating business values, strategy, and operations into the UW's ERM program.

The methodology is based on a security framework we developed four years ago. The framework accounts for all aspects of information security, addresses required security standards and regulations, and integrates information security into the business strategy. The initial concept of the framework came after talking to several security professionals; reviewing current regulations such as PCI-DSS, HIPAA, Gramm-Leach Bliley, and standards from ISO and NIST; auditing information security programs and practices of more than a dozen public, private, and government organizations; and researching security frameworks as part of a Master of Science information security program.

The goal of the project was to develop a framework that could be integrated into an information security program that would help defend the organization's information security practices, show performance at or above the due-care principle, and meet the organization's strategic security needs.

The framework is divided into 13 security elements within the strategic, tactical, and operational categories. The framework is integral to the security program because of the need to view the entire organization holistically for risk components. The framework gives the organization the ability to modify or add controls and objectives to meet the acceptable risk tolerance level for the organization. It also provides the direction for the development, assessment and improvement of information security practices within the organization. The security program must concentrate security protection efforts across the entire spectrum of the organization and be nimble enough to adapt to new threats. Compliance with standards and regulations are important, but compliance alone does not mean that the residual risk is reduced in an organization.

The risk methodology consists of a self-directed, qualitative assessment process that is repeated several times during each year. As an example, UW completes quarterly risk assessments and reports the outcome to the security steering committee.

Without a practical and easy to use method, individuals will tend to postpone or not complete the assessment, take a reactive posture, or incorrectly apply the risk process. Risk assessments are a point-in-time evaluation that can quickly become outdated. To be effective in reducing risk, security professionals need to complete periodic assessments of their organization's security and risk posture.

Jan Emblemsvag and Lars Endre Kjolstad, in "Qualitative Risk Analysis: Some Problems and Remedies," showed how qualitative security risk assessments depend on a consistent analysis of the organizational capabilities and information quality conducted by knowledgeable and credentialed security professionals. Without a consistent approach, analysis of the capabilities of the organization, and critical analysis of the quality of assessment information, the results of the qualitative assessment should be questioned. According to Ruth Hauser, Eric Breidenbach, and Katharina Stark, who wrote "Advances in Statistical Methods for the Health Sciences," even with the limitations of qualitative assessments, they can provide the business with adequate information for risk decisions not obtainable by other methods.

The assessment methodology is based on the premise that the amount of risk to the organization is dependent on the capability of the organization to protect its assets against enterprise threats. This is shown by the following formula . As the capability of the organization to protect the assets increases or the threats to the organization decreases, the overall risk score should decrease. Calculating the risk score requires an organization to evaluate their capability and threats based on a comprehensive framework of security elements. Key objectives and threats need to be defined in each security element to enable the evaluation of capability and the likelihood and impact of threats.

The risk methodology accommodates the integration of the information security program into the organization's enterprise risk management (ERM) program. This is accomplished by identifying the relationship between the risk statements and objectives and threats within each security element. The risk statements are categorized within four areas and include:

  • Compliance (failing to follow laws, regulations, contractual agreements, standards, or organization policy);
  • Financial (loss of physical assets or financial resources);
  • Operational (affect ongoing management processes), and;
  • Strategic (affect ability to achieve goals or objectives).

The relationship between the objectives, threats, and risk statements allows the organization to assess and check the risk from both the security element perspective and the ERM perspective. This ensures a top down or bottom up consistency check that is needed for qualitative risk assessments. This chart shows the relationship between ERM and the framework.

Identification of security risks, objectives, and threats is critical to the success of the security risk process and is the first phase that should be completed by the organization. The risk identification phase should not be taken lightly and will require a concerted effort led by a knowledgeable and credentialed security professional team. The team must be familiar with the business environment, security standards, business needs, regulatory requirements and current threat spectrum. During this phase, the team will determine and validate the key objectives and the current threats for the environment. It is important to discuss each objective and threat to ensure they are representative of each security element as well as not being too granular.

The risk statements can be created as part of the organization's ERM process, or separate, if the organization does not have a coordinated risk process. The team must consider the root cause and not focus on the effects of the risk or mitigation steps. After the team completes the definition of the objectives, threats, and risk statements, each objective and threat will be correlated to one or more of the risk statements. The relationships between the risk statements, objectives, and threats allow the organization to analyze the impacts to risk due to changes in capability and threats. It is not uncommon to complete several iterations during this phase. After the team completes defining the objectives and threats for each security element, the threat relationship to the CIA triad should be completed. The objective of the risk identification phase is to have an overall balance of objectives and threats between all security elements and correctly identify the relationships with the risk statements.

During the risk assessment phase, the team will use the key objectives and threats to make the scoring decisions. It is important to remember that the consistency of the methods used to determine the outcome and the security expertise of the team is more important than the scoring definitions. The team must document their decision process to ensure this consistency. The benefit of consistency is the ability to compare past and current assessments and analyze trends.

The first step in this phase is to define the level of capability the organization has reached in developing its comprehensive security program for each security element. A five level capability scale was developed to aid in this process.

The team will also evaluate the likelihood and impact of each threat within each security element. Along with data assets, threat agents should be considered during this part of the scoring. Threat agents are individuals who could use various threat sources to exploit vulnerabilities. Intentions, capabilities, and opportunities for carrying out an attack make people dangerous threat agents. Potential threat agents may include employees, contractors, former contractors and subcontractors, maintenance staff, former employees, and unauthorized external users.

Likelihood and impact are scored on a three-point (low, medium, or high) scale. The likelihood score is influenced by the capability of the threat agent, the controls currently in place, and the frequency and type of attacks. The impact is determined by the damage caused to the asset or organization by the vulnerability exploitation. The damage is measured in terms of disruption, loss of competitive advantage, capability, reputational loss, and replacement cost of the asset.

The final threat index score is calculated by adding the likelihood score, impact score, and one point for each CIA relationship to the threat. If the threat is only related to availability, one point will be added to the likelihood and impact scores. Three points will be added if the threat is related to the entire CIA triad. The maximum base threat index score is nine and the minimum base score is three. The threat score is calculated by for threats within each security element. The capability score is calculated by for objectives within each security element. The risk factor for the threat score is initially set to 1.0 unless the organization feels that certain risks have a greater weight, in which case an additional risk factor of 0.1 to 0.5 can be added.

This phase evaluates the information gathered throughout risk identification and evaluation. The analysis starts with looking at the overall security process capability scores and threat index scores for the current and previous periods. Over time, trends can be established that can aid in the analysis. The trends will help the organization determine what steps need to be accomplished to increase the overall security posture, decrease the impact and likelihood of the threats, and decrease the risk to the organization. Specific attention should be given to security elements where the threat index scores are high and the capability is low. This gap creates additional business risk that should be mitigated.

The last step is to develop a risk mitigation plan and ensure that the plan is tied to the security strategic plan. The strategic plan and projects are based on the risk and targeted security objectives. Conflicts between risk mitigation projects and compliance efforts may be uncovered during the analysis. Management will need to reconcile these differences and decide on a course of action. When allocating resources, top priority should be given to items with unacceptably high-risk rankings. These areas will require immediate risk mitigation to protect an organization's interest and mission. The objective is to minimize the overall risks to the organization.

The risk mitigation plan should include capability risk level, recommended control to be implemented, prioritization of controls, resources needed for implementation, start and projected end dates, and ongoing maintenance and operation requirements. Ideally, the risk assessment will be repeated quarterly to track progress with the risk mitigation plan. The risk statement should show the trends for the objective capability and threats. The colors under the element column indicate the current risk level for the specific element. The color (red, yellow, or green) under the goal column indicates the gap between the current capability and the capability goal for the current budget period. The red arrows correspond to a negative change (decreased capability or increased threat) and the white arrows correspond to a positive change. Discussion should take place with the security team to evaluate if the risk can be reduced with the current projects or if a change is required.

Knowledgeable and credentialed security professionals need to discuss information security risks issues on a regular basis. With limited resources and budgets, it is important to determine risk and compensating controls that reduce risk. A sample quarterly risk report should show the changes in risk and communicates these changes to senior management. The capability level has three lines. The inner line (blue) shows the current capabilities, the middle line (red) shows the estimated growth in capability for the current budget year, and the outer line (black) shows the desired long term capability goal for each security element. The threat index score shows the current threats for each security element. These graphs are calculated after the team enters the capability and threat scores. Each risk statement (identified by O1, C1, F1, S1, etc.) and security element are plotted on the risk chart based on their individual risk score. The security element lines use the same key as the capability level. The changes in the capability level, threat index score, and risk score from the past period are shown in the middle box. This risk report gives management a good overview of the current risk, trends, and gaps in the security program and should be used for discussion regarding strategy and risk mitigation plans.

The security industry needs to begin thinking outside the box and selecting different security strategies directed at mitigating information security risks and directly identifying risk mitigation methods that will be successful against current adversaries. Enterprise information security cannot be solved by technology alone or the dependence on perimeter defenses that assumes the adversary can be kept out of the enterprise. The resolution to the problem will require a comprehensive security program that incorporates risk management as the driving force for the strategy. The status quo is no longer acceptable and our industry must change their practices and adopt concepts such as assumption of breach, active response, capability and attack intelligence analysis, as well as targeted discussions about attack vectors and patterns used by our adversaries as part of their risk management strategy.

Cris V. Ewell is director of information security operations, Office of the CISO, University of Washington. Send comments on this article to [email protected].

Dig Deeper on Risk assessments, metrics and frameworks