Editor's note: This is part of a series on achieving cybersecurity readiness. Part one of this series looked at...
the concept of cybersecurity readiness and proposed seven elements or objectives as fundamentals for achieving that state. Part two examines the first element on that list: building a cybersecurity plan. Part three focuses on the technology aspects of information security architecture.
The premise of this series on cybersecurity readiness was that there are fundamental cybersecurity objectives that organizations have to meet to consider themselves cybersecurity ready. Cybersecurity readiness was defined in part one as the state of being able to detect and effectively respond to computer security breaches and intrusions, malware attacks, phishing attacks and theft of data and intellectual property from both outside and inside the network.
This article addresses risk primarily as it affects information and information systems. Protecting information is a business problem where the solution is much more than deploying technology like firewalls and antivirus gateways and hoping for the best. Businesses must take a proactive approach to identifying and protecting their most important assets, including information, information technology and critical business processes. Information security risk management allows an organization to evaluate what it is trying to protect, and why, as a decision support element in identifying security measures. A comprehensive information security risk evaluation should allow an organization to evaluate its security needs and risks in the context of its business and organizational needs.
It is important to keep in mind that the purpose of information systems and the data they contain is to support businesses processes that in turn support the mission of the organization. In a very real sense, information is a foundational element that supports the business and its mission and contributes to the ability of an organization to sustain operations.
According to the OCTAVE risk assessment methodology from the Software Engineering Institute at Carnegie Mellon University, risk is: "The possibility of suffering harm or loss." Threat is a component of risk and can be thought of as: A threat actor -- either human or non-human -- takes some action, such as identifying and exploiting a vulnerability, that results in some unexpected and unwanted outcome, i.e., loss, modification or disclosure of information or loss of access to information. These outcomes have negative impacts on the organization. These impacts may include: Loss of revenue or customers, loss of market differentiation, the costs of incident response and recovery and the cost of paying fines and regulatory penalties.
Components of information security risk
Information security risk has several important components:
- Threat actor: Human or non-human entity that exploits a vulnerability;
- Vulnerability: That which the threat actor exploits;
- Outcomes: The result of exploiting a vulnerability; and
- Impact: Consequences from the unwanted outcomes. Do not confuse outcomes with impacts.
The final, and most important, component of information security risk is the asset -- information, process, technology -- that was affected by the risk. Assuming that the asset at risk cannot be eliminated, the only component of information security risk that can be controlled is the vulnerability. There are only a few things that can be done to control a vulnerability:
- Eliminate the vulnerability. If it does not exist, then it cannot be exploited;
Or, if the vulnerability cannot be eliminated:
- Reduce the probability of exploitation of the vulnerability;
- Reduce the severity of the impact resulting from exploitation of the vulnerability; or
- Do nothing, accept the risk.
A problematic case is that of the zero-day vulnerability, where, by definition, an organization cannot protect itself against the specific outcomes and impacts of that unknown vulnerability and does not have the opportunity to create strategies to reduce probability and impact.
Information security risk management, therefore, is the process of identifying, understanding, assessing and mitigating risks -- and their underlying vulnerabilities -- and the impact to information, information systems and the organizations that rely upon information for their operations. In addition to identifying risks and risk mitigation actions, a risk management method and process will help:
- Identify critical information assets. A risk management program can be extended to also identify critical people, business processes and technology.
- Understand why the chosen critical assets are necessary to operations, mission accomplishment and continuity of operations.
In order to meet the cybersecurity objective of risk management as a component of cybersecurity readiness, an organization must build a robust information security risk assessment and management program. If an enterprise risk management (ERM) program already exists, an information security risk management program can support the ERM process.
Resources for building an information security risk management program include:
- NIST Special Publication 800-39, Managing Information Security Risk
- NIST Special Publication 800-30, Guide for Conducting Risk Assessments
Other elements that support an information security risk management program include:
- an asset management program,
- a configuration management program, and
- a change management program. These programs will be discussed in the next article in this series.
Find out how to address the risks of major password breaches
Read about ways to prevent privilege creep and keep access roles secure
Learn more about risk management in this CISSP Essentials Security School presentation