Risk management is a fundamental requirement of information security. Without it, the safety of the information or system cannot be assured. In information security, risk is a variable that must be understood in order to best create cost-effective solutions to minimize negative risks with minimal impact to usability and cost. Risks are often uncertain, misunderstood, and can change based on circumstances. Risk management provides a way for you to understand and handle risks that are optimal for security, IT, and the business. It creates a common language to identify, assess, and understand potential threats and vulnerabilities while identifying means for mitigating, accepting, or avoiding the risk.
However, one of the reasons we have difficulty in translating risks to our users is that many security practitioners maintain an unrealistic view of risk because we use an overly complex risk equation. It typically contains variables for threats, vulnerabilities, and mitigation. This isn't how people naturally think.
Security guru Bruce Schneier described this disconnect between users and security staff in an article published last year entitled, "People understand risks -- but do security staff understand people?" He described how the way people think about risk works for people but can cause failures for security: "They know what the real risks are at work, and that they all revolve around not getting the job done… The risks of not following security procedures are much less real."
Besides the disconnect with average users, there's another argument against a complex risk equation: the difficulty of quantifying the variables. Is it possible to put an accurate number to a threat or vulnerability? The numbers used in these cases tend to be biased based on the perspective of the assessor. If it's something they are familiar with or feel strongly about, they will always rank it high. Plus, the value of a threat or vulnerability is variable based on the use or user. For example, if your CEO has a keylogger on his PC, then this is a huge risk. However, for most line employees, there won't be as much damage if there is an incident. This fact is rarely a consideration when quantifying threats or vulnerabilities in a risk equation.
The risk equation I use is quite simple: risk equals impact multiplied by probability weighed against the cost: Risk=Impact X Probability / Cost. Impact is the effect on the organization should a risk event occur. Probability is the likelihood the event could occur within a given timeframe. Cost is the amount it takes to mitigate or reduce the risk to an acceptable level. This risk equation is how people naturally assess risks; in its simplicity comes its usability.
When assessing risks in this way, it helps to use a scale of one to five for the impact, probability, and cost variables. While it's subjective, it allows for some quantification of the risks in an easy-to-understand fashion. This also allows for the prioritization of the risks based on their total values.
When we identified a risk associated with Web browsing, this simple risk equation helped to influence a human resources director to take action. We needed the HR director to weigh in on the decision to block certain malicious websites, and I explained the problem to her. Without any prompting from me, she used the risk equation to understand the impact, likelihood of the risk and the cost of implementation, and ultimately agreed to our security measures. The simple risk equation allowed security to partner with the business and secure a potential vulnerability.
By using this simple risk equation, we can solve the conundrum described by Bruce Schneier. Through its simplicity, security staff can understand people by better understanding the true risks to an organization. And by working together, we all become stronger.
Ron Woerner is a security analyst at a large architecture and engineering firm in the Midwest. Send comments on this column to [email protected].