Earlier in this series, we have defined risk as the possibility or chance that a threat agent would exploit an identified vulnerability to gain access, compromise security, or cause some sort of damage. One of your main responsibilities as a security officer is to train and help the people in your organization to learn how to identify sources of potential risks, and how to deal with them in order to eliminate or at least reduce that risk. In this article, we will discuss Risk Management ; an important and essential topic that you should not miss.
What is Risk Management?
Risk Management can be defined as the operation of identifying, evaluating, and mitigating risks. The result of such an operation should be eliminating, minimizing, or at least reducing the risk to an acceptable level.
As it is said: nothing is ideal in this life, it is the same with security. A hundred percent fully-secure environment is a mere theory. If you could manage to fully-secure the borders of your network, your system, your building, your campus, or premises so that nobody could ever attack it from outside (of course, this is not a realistic world ), it can still be attacked from the inside, by it’s own citizens. And if you could theoretically prevent such insiders from attacking from inside, you can never prevent them from making mistakes; remember, we are humans, and nothing is ideal. Even more, consider the Utopian case that no attacks will come either from the outside or from the inside. Could you prevent an earthquake from occurring, destroying your company’s HQ or main data center, and burying under ruins all critical and valuable data and/or assets?
As the answer is certainly no, risks can’t be eliminated in most cases. However, they can be reduced to a level that is agreed to be tolerated by the organization.
Types of Risks
– In the above example, you talked about earthquake. Should we also take precautions for risks coming from natural disasters?!
In fact, yes. Risks to manage are not only the ones related to computer systems. There are many types of risks that an organization must care about. The following lists the main risk types:
- Natural Disasters: like earthquakes, floods, and volcanoes.
- Physical Issues: like power problems (blackout, surges, and spikes), water leakage, and insufficient air conditioning.
- Vandalism.
- Attacks from inside and outside.
- Hardware Failures.
- Human mistakes.
- Software errors: like bugs and insufficient validation.
Assets and Asset Value
Before going into the details of the risk management process, we need to understand two new important terms: Asset, and its value.
Assets
A resource with an economic value that belongs to the organization and should be protected is considered an asset.
Assets can be divided to several categories such as:
- Fixed (long-term) Assets: like buildings, furniture, and hardware.
- Computer-related: like network share, computer data file, a database table.
- Human Resources: the company staff; considered to be the most valuable asset.
- Intangible: like goodwill.
Asset Value
A quantitative evaluation of an asset in terms of money.
Risk Assessment
Supported and sponsored by the top management, the risk analysis process is performed to identify the weaknesses (vulnerabilities), the threats that exploit them, and the resulting risk.
List of Vulnerabilities and Threats
The output of the risk assessment step will be a detailed list of existing vulnerabilities and the potential threats. As mentioned earlier in this article, risks are not only the ones related to computers and IT. Therefore, the operation of identifying vulnerabilities and threats may require participants from different departments including of course the IT and the security team. The resulting list could be something like the following table:
|
Vulnerability |
Threat Agent |
Risk |
|
Absence of Antivirus |
Viruses and worms |
Infection |
|
Missing patches |
Viruses and worms |
Infection |
|
Using Insecure Protocols like telnet and ftp. |
Hacker |
Capturing traffic and extracting credentials. |
|
Insufficient Validation in developed applications |
Hacker |
Gain access to database. Launch DOS attack. |
|
No or insufficient security awareness for users. |
Hacker |
Using social engineering techniques to deceive users and steal important data. |
|
Absence of or insufficient Fire Alarms |
Fire |
Damage of building, equipments. |
Each vulnerability, threat, and the resulting risk must be studied and analyzed in details to assess the amount of damage, and the possible solutions/countermeasures to use in order to reduce the risk to an acceptable level.
Such processes are called Risk Analysis, which will be the topic of the next article.
Summary
- Risk Management is the operation of identifying, evaluating, and mitigating risks.
- 100% elimination of risk is impossible. In most cases, risk is reduced to an acceptable level.
- Risks could be due to natural disasters, physical problems like electricity and air-conditioning, attacks from inside or outside the establishment, human mistakes, hardware failures, or software bugs.
- Any valuable resource with economic value that belongs to the organization is considered an asset.
- The risk assessment process aims to identify the existing vulnerabilities and threats that may exploit them to cause a risk.
I hope you find this article useful. See you in the next one.
