Problem solve Get help with specific problems with your technologies, process and projects.

How to define an acceptable level of risk

Even though management is responsible for defining an organization's acceptable level of risk, the security practitioner should understand the process and be able to illustrate to management how underlining security threats can negatively affect business objectives.

In this installment of the Risk Management Guide, Shon Harris explains how to use threat modeling to define an...

organization's acceptable level of risk.

It is management's responsibility to set their company's level of risk. As a security professional, it is your responsibility to work with management and help them understand what it means to define an acceptable level of risk. Each company has its own acceptable risk level, which is derived from its legal and regulatory compliance responsibilities, its threat profile, and its business drivers and impacts. This article explains how to go about defining an acceptable level of risk based on a threat profile and business drivers. (Later in this series I will cover legal and regulatory compliance specifications.)



Defining the company's acceptable risk level falls to management because they intimately understand the company's business drivers and the corresponding impact if these business objectives are not met. Also, it is management's ultimate responsibility to ensure that the company meets these business objectives and goals. As a security professional, it is your job to illustrate to management how underlining security threats can negatively affect business objectives as shown in the following graphic.

It is important to understand the symbiotic relationship between business drivers and the security issues that can affect them. A company is not in business to be secure; it is in business to be profitable. A security professional may be an expert in firewalls, vulnerability management and IDS technologies, but if this knowledge is applied in a vacuum devoid of business goals, a company will end up wasting money and time in its security efforts. As illustrated in the following figure, each entity (security professional and business professional) must apply their expertise and work together to understand security and business in a holistic manner. Failure to identify and document business drivers and processes are the main reasons that mapping security and business drivers are difficult to accomplish and usually not properly carried out.

A company needs to recognize its top 5-8 business threats that can cause the most impact. For profit-driven companies, threats usually correspond to revenue sources. The following are common threats that companies are faced with:

  1. Negative affects to reputation in the market
  2. Loss of market share to competitors
  3. Loss of customer confidence
  4. Loss of revenue streams
  5. Criminal and civil legal issues
  6. Loss of trade secrets and sensitive information

For non-revenue driven organizations, such as the NSA and DoD, threats are not business-driven. These organizations' top threats could be:

  1. Loss of the ability to protect the nation from nuclear and/or terrorist attacks
  2. Loss of top secret information to the nation's enemies
  3. Loss of communication with distributed military bases and troop units
  4. Loss of the ability to tap into the enemy's communication channels
  5. Loss of the ability to dispatch emergency crews

The security team should have an understanding of what is most critical to the organization to ensure that the most critical items are appropriately prioritized and protected. This information is also used to understand what attackers and enemies are most likely to attack and compromise. This information is captured in the organization's threat profile.

The threat modeling process

The term "threat modeling" is mainly used in application security. It is a process to identify threats that can impact a software program so that the application architects and developers can implement the necessary controls to thwart the identified threats. The same exercise is carried out for an organization. The resulting threat profile is used to define the company's acceptable risk level. This level is then used as the baseline to define "enough security" for all future security efforts within the company.

Threat modeling entails looking at an organization from an adversary's point of view. You must understand your adversaries' goals and motives if you want to implement the correct countermeasures to stop them. Threat modeling uses a methodical thought process to identify the most critical threats a company needs to be concerned with. The results of a threat modeling exercise are used to justify and integrate security at an architectural and implementation level. Threat modeling allows you to construct a structured and disciplined approach to address the top threats that have the greatest potential impact to the company as a whole.

The key in threat modeling is to understand the company's threat agents. For example, the NSA has a large range of dedicated and funded enemies that are set out to derail the agency's security measures. Foreign enemies attempt to break the encryption used to protect communication channels, NSA employees are targeted for social engineering attacks and perimeter devices are under constant attack. If any of the identified threats become realized, the affects and impacts can be devastating to national security.

For most organizations, this is where threat modeling stops and a vulnerability assessment begins. You understand your enemy types and goals and corresponding threats at a high level, and then identify the vulnerabilities that these enemies can use against the company. In most cases the threat profile is not actually documented but understood at an intuitive level. This knowledge is then used throughout all risk management processes.

The objective is to determine the overall level of risk that the organization can tolerate for the given situation. The risk acceptance level is the maximum overall exposure to risk that should be accepted, based on the benefits and costs involved. If the responses to risk cannot bring the risk exposure to below this level, the activity will probably need to be stopped. So, once the acceptable risk level is set for a company, a risk management team is identified and delegated the task of ensuring that no risks exceed this established level.

To return to our example, the NSA's threat profile is at a heightened level because of its sheer number of threat agents and extremely low level of risk acceptance. The answer to, "How much is enough security?" for the NSA is extensive, expensive and robust security.



  Introduction: Understanding risk
  An overview of the risk management process
  How to define an acceptable level of risk
  How to write an information risk management policy
  How to implement an effective risk management team
  Information risk management: Defining the scope, methodology and tools
  How to conduct a risk analysis
  How to deal with risk

About the author
Shon Harris is a CISSP, MCSE and President of Logical Security, a firm specializing in security educational and training tools. Shon is a former engineer in the Air Force's Information Warfare unit, a security consultant and an author. She has authored two best selling CISSP books, including
CISSP All-in-One Exam Guide, and was a contributing author to the book Hacker's Challenge. Shon is also the co-author of Gray Hat Hacking: The Ethical Hacker's Handbook.


This was last published in April 2006

Dig Deeper on Risk assessments, metrics and frameworks